RemotePower v3.2.1 — Release Notes

Released: 2026-05-26

Overview

v3.2.1 is a substantial follow-up release on top of v3.2.0. The big features (alerts inbox, inbound webhooks, MCP write tools, OIDC SSO, SNMPv2c polling, syslog ingestion) all shipped in v3.2.0; v3.2.1 is the operability pass: integration into every dashboard surface, threshold-driven alerting on SNMP-derived metrics, bug fixes from real-world testing, and polish on every new feature.

No schema migrations. Drop in the new tarball, reload nginx, hard-reload the browser once to refresh the service-worker cache (remotepower-shell-v3.2.0 → remotepower-shell-v3.2.1).

SNMP — became a first-class data source

In v3.2.0 SNMP shipped as a basic sys-group poll, buried in the CMDB asset modal. v3.2.1 surfaces SNMP data across the whole dashboard:

Surface	What you see
Devices page card	Green/red 📡 pill next to the hostname + "SNMP up Nd" meta cell
Monitoring → Device Metrics	Separate SNMP table with CPU %, Memory %, Storage list, Temperature, Uptime
Device drawer → Actions & Settings	SNMP config form (enable / community / port / Poll now) for agentless devices
Device drawer → Audit	"SNMP" expandable card with full sys-group, per-core CPU pills, UCD-SNMP load avg + memory, storage table, interface table (admin/oper/speed/octets/errors), Mikrotik vendor block, UniFi vendor block, partial-error footer
Devices page filter	New dropdown: Any SNMP / Configured / OK / Failing
Alerts inbox	snmp_unreachable / snmp_dead / snmp_recover events
Outbound webhooks	Same events available in Settings → Notifications
MCP read tool	get_snmp_data(name) exposes the full data set to AI hosts

What gets polled every 5 minutes

MIB	Why
sys-group (RFC 3418)	sysDescr, sysObjectID, sysUpTime, sysContact, sysName, sysLocation
hrProcessorTable (RFC 2790)	Per-core load %. Works on Mikrotik + Linux + BSD
hrStorageTable	Memory + filesystems with used %
UCD-SNMP-MIB	Load averages + raw CPU ticks + UCD memory totals (net-snmp boxes)
Mikrotik vendor (1.3.6.1.4.1.14988)	RouterOS version, board temp, CPU MHz, voltage

Deep-poll on demand

The drawer Audit tab also walks the IF-MIB::ifTable (interface table). That walk is heavier than the 5-min sweep — bounded at 64 interfaces, runs only when the operator opens the SNMP card. Returns admin/oper status, link speed, in/out octets, error counters per port.

SNMP threshold alerts

SNMP-derived values flow through the same threshold pipeline as agent metrics. The metric-threshold modal grows two rows:

• SNMP CPU % — defaults warn 75, crit 90
• Temperature °C — defaults warn 70, crit 85

Disk and memory % share the existing agent thresholds.

Fires metric_warning / metric_critical / metric_recovered through the regular event pipeline — alerts inbox + outbound webhooks

• Server Status site-health rollup, all wired transparently.

Unmonitored devices still collect SNMP data (visible in the metrics table with a "silent" badge) but skip the alert fire. Same posture as the agent metric pipeline.

Edge-triggered transitions

• snmp_unreachable — fires once on the 2nd consecutive poll failure. Severity: high. Single-packet UDP loss never alerts.
• snmp_dead — fires at the 72nd consecutive failure (~6 hours at the 5-min cadence). Severity: critical. Different event so operators can configure their webhook destinations separately.
• snmp_recover — auto-resolves BOTH snmp_unreachable and snmp_dead rows in the Alerts inbox via _ALERT_RECOVER_EXTRA.

Alerts inbox — operability

• Unmonitored devices no longer pollute the inbox. The _record_alert helper now applies the same monitored-gate that fire_webhook already had on outbound fan-out. Fleet-wide events (no device_id) and orphan events (device deleted) still record.
• Clear-alerts buttons. "Clear resolved" purges every resolved row; "Clear all" wipes everything (with double-confirm). Admin-only, audit-logged.
• Always-visible green-at-zero badges. Alerts and MCP Confirmations sidebar entries show their count badge even at 0 (green) — the empty state was misread as "no inbox exists".
• metric_critical events now enter the inbox. Previously missing from _ALERT_RULES; 90%+ threshold breaches fired the webhook but never created an inbox row.
• _fire_metric_webhook payload aliases. Added metric and level keys so the alert serializer can render the title and classify severity correctly from the metric-event shape.

MCP write tools — pre-validation

run_saved_script previously validated the script_id inside _mcp_execute — which runs AFTER the operator approves a confirmation. A typo would park a doomed confirmation that would fail silently on approval. v3.2.1 adds _mcp_validate_params that runs BEFORE the confirmation queue, so bogus IDs return 400 immediately.

Server Status

• Site health card — load average (1/5/15 min from /proc/loadavg), system memory % (from /proc/meminfo), active session count, devices-online %, derived ok | warn rollup with reason flags (high load, memory > 90%, < 80% devices online, < 90% webhook rate).
• Webhook delivery rate fix. No longer counts disabled/suppressed/filtered log entries as failed attempts. The 1/10 = 10% display on quiet fleets is gone. Now reads correctly as 1/1 = 100% with 9 skipped reported separately. Site-health flag ignores all-skipped case.
• Inbound webhook + syslog rate card. New row alongside outbound delivery — 24h/7d rates with by-kind breakdown (alert:N · syslog:M).
• Webhook log capacity bumped 100 → 500 entries so the 24h rate window survives a noisy day.

OIDC

• Test discovery endpoint. POST /api/auth/oidc/test (admin) probes the configured issuer at /.well-known/openid-configuration and returns the discovered endpoints + warnings for common misconfigs (missing client_secret, no openid scope, etc.).
• "Test discovery" button on the OIDC settings pane. Shows the redirect URI you need to register with your IdP, plus the parsed authorize / token / userinfo / jwks endpoints.

UI polish

• Sidebar widened 200 → 220 px to fit "MCP Confirmations" + count badge cleanly without clipping. Page content margin moved in lockstep.
• Duplicate "TLS / DNS" title above ACME Certificates removed. The title now lives inside the expiry panel so it doesn't render twice when viewing ACME.
• README gallery — click-through screenshot gallery via GitHub <details> accordion. Index.png remains the hero.

Security review notes

• Bearer auth (Authorization: Bearer <token>) accepted on every endpoint, not just /api/metrics. Token verification path is uniform — same TTL, role, admin gate. X-Token wins when both headers are present so proxy-injected Authorization headers can't override dashboard sessions. See docs/security.md.
• MCP role separation enforced — admin tokens cannot call MCP write endpoints; only mcp role keys can. Audit log records the originating AI host (X-MCP-Client) and natural-language prompt (X-MCP-Prompt) on every call.

Test coverage

1727 tests pass (was 1672 at the v3.2.0 base ship). Adds coverage for SNMP threshold alerts, clear-alerts endpoints, MCP write-tool pre-validation, unmonitored alert suppression, webhook-rate fix, SNMP walk subtree-boundary semantics, OIDC validation, and Bearer auth parity (X-Token vs. Authorization).

Upgrade

make dist          # builds dist/remotepower-3.2.1.tar.gz

Deploy the tarball, reload nginx, hard-reload the browser once. No schema migrations required.