more tweaks

Author: tstromberg

README.md

@@ -6,26 +6,26 @@ The MDM for startups that actually care about security.
 
 Your startup just hit the enterprise sales milestone where someone asks "are you SOC 2 compliant?" Meanwhile, your engineering team runs OpenBSD on ThinkPads, Arch on Frameworks, and that one person still dailying Plan 9. 
 
-Traditional MDMs want root access, auto-update themselves from the internet, and can execute arbitrary code pushed from their cloud. Your security engineer just had an aneurysm.
+Traditional MDMs run as root, execute arbitrary code from their cloud servers, and auto-install binaries downloaded from the internet. Your security engineer just had an aneurysm.
 
 ## Our Solution
 
 gitMDM proves compliance without the backdoor:
 
 ```
-Traditional MDM: "Install our kernel extension!"
+Traditional MDM: "Install our root agent that downloads and executes code from our servers!"
 Your Team: "How about no."
 
-gitMDM: "Run a read-only agent that reports to YOUR server"
+gitMDM: "Run a read-only agent as a regular user that only reports"
 Your Team: "...continue"
 ```
 
 ### Why Your Security Team Will Actually Approve This
 
-- **Zero Remote Execution**: Can't push commands. Not won't. Can't. The server only receives data.
-- **No Auto-Updates**: Agent is a static binary. Updates require YOU to rebuild and redeploy.
-- **Runs as User**: No root, no SYSTEM. Just a regular user process.
-- **You Own Everything**: Your server, your git repo, your data. Host it in your VPC.
+- **Zero Remote Execution**: Can't push commands or install software. The server only receives data.
+- **No Auto-Updates**: No downloading binaries from the internet. Updates require YOU to rebuild and redeploy.
+- **Runs as User**: No root, no SYSTEM. Can't execute arbitrary code or modify your system.
+- **You Own Everything**: Your server, your git repo, your data. No third-party cloud with root access to your fleet.
 - **Audit Everything**: Every change is a git commit. `git blame` for compliance.
 
 ## Quick Start for the Impatient
@@ -51,10 +51,10 @@ Join keys stored in `~/.config/gitmdm/` (or wherever your OS says), not in proce
 
 | SOC 2 Says | Traditional MDMs Do | We Do |
 |------------|---------------------|--------|
-| Disk encryption | Run as root, phone home for instructions | Read `/proc/mounts` as user |
-| Screen locks | Auto-update from vendor's CDN | Check your screensaver config |
-| OS updates | Force reboots during demos | Report version numbers |
-| Firewall enabled | Execute arbitrary scripts from cloud | Check `iptables -L` output |
+| Disk encryption | Run as root to verify and enforce | Check encryption status as user |
+| Screen locks | Execute scripts as root to enforce policies | Read your existing screensaver config |
+| OS updates | Download and install updates as root | Report current version numbers |
+| Firewall enabled | Execute commands as root to modify rules | Check firewall status (read-only) |
 
 ## Platform Detection That Actually Works
 
@@ -129,7 +129,7 @@ A: No. Check the code. The handler doesn't exist.
 A: It's 2 dependencies: yaml and retry. Vendor them if paranoid.
 
 **Q: Does it require root?**  
-A: Never. User-level only. Your kernel remains unmolested.
+A: Never. User-level only. Just reads system configuration.
 
 **Q: What data does it collect?**  
 A: Read `checks.yaml`. It's compiled in. No surprises.
@@ -154,4 +154,4 @@ A: On the roadmap. PRs welcome from fellow paranoids.
 
 ---
 
-*"Because your security posture shouldn't require the missionary position."*
+*"Because compliance doesn't require compromise."*

cmd/agent/checks.yaml

@@ -576,14 +576,8 @@ checks:
       - output: sw_vers
     linux:
       - file: /etc/os-release
-    freebsd:
-      - output: freebsd-version
-    openbsd:
-      - output: sysctl -n kern.version
-    netbsd:
-      - output: sysctl -n kern.version
-    dragonfly:
-      - output: sysctl -n kern.version
+    unix:
+      - output: uname -srm
     solaris:
       - file: /etc/release
     illumos:

cmd/server/main.go

@@ -81,9 +81,10 @@ var (
 
 // ComplianceCache stores pre-calculated compliance stats for a device.
 type ComplianceCache struct {
-	PassCount int
-	FailCount int
-	NACount   int
+	PassCount    int
+	FailCount    int
+	NACount      int
+	HasCheckedIn bool // true if device has reported since server startup
 }
 
 // Server represents the gitMDM server that receives and stores compliance reports.
@@ -391,14 +392,26 @@ func (s *Server) loadDevices(ctx context.Context) error {
 // updateComplianceCacheLocked updates the compliance cache for a device.
 // Caller must hold s.mu lock.
 func (s *Server) updateComplianceCacheLocked(device *gitmdm.Device) {
+	// Get existing cache to preserve HasCheckedIn flag
+	existingCache, exists := s.complianceCache[device.HardwareID]
 	cache := &ComplianceCache{}
+	if exists {
+		cache.HasCheckedIn = existingCache.HasCheckedIn
+	}
 
-	// Filter out checks that are more than 1 hour older than LastSeen
-	staleThreshold := device.LastSeen.Add(-1 * time.Hour)
-
+	// Determine staleness threshold
+	var staleThreshold time.Time
+	if cache.HasCheckedIn {
+		// Device has checked in since server startup - use 1 day staleness
+		staleThreshold = time.Now().Add(-24 * time.Hour)
+	} else {
+		// Device hasn't checked in yet - use all data from git
+		staleThreshold = time.Time{} // Zero time means no filtering
+	}
+	
 	for _, check := range device.Checks {
-		// Skip stale checks that are too old
-		if !check.Timestamp.IsZero() && check.Timestamp.Before(staleThreshold) {
+		// Skip stale checks only if we have a threshold and the check has a timestamp
+		if !staleThreshold.IsZero() && !check.Timestamp.IsZero() && check.Timestamp.Before(staleThreshold) {
 			continue
 		}
 
@@ -526,7 +539,9 @@ func (s *Server) handleIndex(writer http.ResponseWriter, req *http.Request) {
 					item.ComplianceClass = "poor"
 				}
 			} else {
-				item.ComplianceClass = "poor"
+				// No checks data available
+				item.ComplianceClass = "unknown"
+				item.ComplianceEmoji = "—"
 			}
 		} else {
 			item.ComplianceClass = "poor"
@@ -633,6 +648,7 @@ func (s *Server) handleDevice(writer http.ResponseWriter, r *http.Request) {
 
 	s.mu.RLock()
 	device, exists := s.devices[hardwareID]
+	cache, _ := s.complianceCache[hardwareID]
 	s.mu.RUnlock()
 
 	if !exists {
@@ -641,8 +657,18 @@ func (s *Server) handleDevice(writer http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Determine staleness threshold based on whether device has checked in
+	var staleThreshold time.Time
+	if cache != nil && cache.HasCheckedIn {
+		// Device has checked in since server startup - use 1 day staleness
+		staleThreshold = time.Now().Add(-24 * time.Hour)
+	} else {
+		// Device hasn't checked in yet - use all data from git
+		staleThreshold = time.Time{} // Zero time means no filtering
+	}
+
 	// Build detailed view model with compliance analysis
-	viewData := viewmodels.BuildDeviceDetail(device)
+	viewData := viewmodels.BuildDeviceDetail(device, staleThreshold)
 
 	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
 	if err := s.tmpl.ExecuteTemplate(writer, "device.html", viewData); err != nil {
@@ -783,6 +809,12 @@ func (s *Server) handleReport(writer http.ResponseWriter, request *http.Request)
 	// Always update in-memory cache first for immediate availability
 	s.mu.Lock()
 	s.devices[device.HardwareID] = device
+	// Mark that this device has checked in since server startup
+	if existingCache, exists := s.complianceCache[device.HardwareID]; exists {
+		existingCache.HasCheckedIn = true
+	} else {
+		s.complianceCache[device.HardwareID] = &ComplianceCache{HasCheckedIn: true}
+	}
 	// Update compliance cache
 	s.updateComplianceCacheLocked(device)
 	s.mu.Unlock()

cmd/server/templates/device.html

@@ -619,6 +619,15 @@ <h3 class="empty-state-title">No Compliance Data Available</h3>
         {{end}}
     </div>
 
+    <div style="margin-top: 48px; padding-top: 24px; border-top: 1px solid var(--color-border-default); text-align: center;">
+        <a href="https://github.com/codeGROOVE-dev/gitMDM" target="_blank" style="color: var(--color-fg-muted); text-decoration: none; font-size: 12px;">
+            <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16" fill="currentColor" style="vertical-align: middle; margin-right: 4px;">
+                <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"/>
+            </svg>
+            Powered by gitMDM
+        </a>
+    </div>
+
     <script src="/static/device.js"></script>
 </body>
 </html>

cmd/server/templates/index.html

@@ -459,7 +459,7 @@ <h1 class="page-title">gitMDM Dashboard</h1>
             </div>
             <div class="stat-card">
                 <div class="stat-value neutral">{{$checkingCount}}</div>
-                <div class="stat-label">Checking</div>
+                <div class="stat-label">No Data</div>
             </div>
         </div>
 
@@ -490,7 +490,7 @@ <h1 class="page-title">gitMDM Dashboard</h1>
                     Has Issues
                 </button>
                 <button class="filter-tab {{if eq .Status "checking"}}active{{end}}" data-status="checking">
-                    Checking
+                    No Data
                 </button>
             </div>
         </div>
@@ -541,7 +541,7 @@ <h1 class="page-title">gitMDM Dashboard</h1>
                                         <svg width="12" height="12" viewBox="0 0 16 16" fill="currentColor">
                                             <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm9.78-2.22-5.5 5.5-1.78-1.78-.72.72 2.5 2.5 6.22-6.22-.72-.72Z"/>
                                         </svg>
-                                        Checking
+                                        No Data
                                     </span>
                                 {{end}}
                             </td>
@@ -600,6 +600,15 @@ <h2 class="empty-state-title">∅ Devices</h2>
         {{end}}
     </div>
 
+    <div style="margin-top: 48px; padding-top: 24px; border-top: 1px solid var(--color-border-default); text-align: center;">
+        <a href="https://github.com/codeGROOVE-dev/gitMDM" target="_blank" style="color: var(--color-fg-muted); text-decoration: none; font-size: 12px;">
+            <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16" fill="currentColor" style="vertical-align: middle; margin-right: 4px;">
+                <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"/>
+            </svg>
+            Powered by gitMDM
+        </a>
+    </div>
+
     <script src="/static/index.js"></script>
 </body>
 </html>

cmd/server/templates/index_complex.html

@@ -319,7 +319,7 @@ <h3><a href="/device/{{.HardwareID}}">{{.Hostname}}</a></h3>
                             {{if .ComplianceScore}}
                                 {{if ge .ComplianceScore 0.9}}Excellent{{else if ge .ComplianceScore 0.7}}Good{{else}}Needs Attention{{end}}
                             {{else}}
-                                Checking...
+                                No Data
                             {{end}}
                         </div>
                     </div>
@@ -353,5 +353,14 @@ <h3>No Devices Found</h3>
             {{end}}
         </div>
     </div>
+
+    <div style="margin-top: 48px; padding-top: 24px; border-top: 1px solid #dee2e6; text-align: center;">
+        <a href="https://github.com/codeGROOVE-dev/gitMDM" target="_blank" style="color: #6c757d; text-decoration: none; font-size: 14px;">
+            <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16" fill="currentColor" style="vertical-align: middle; margin-right: 4px;">
+                <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"/>
+            </svg>
+            Powered by gitMDM
+        </a>
+    </div>
 </body>
 </html>

internal/viewmodels/viewmodels.go

@@ -67,19 +67,17 @@ type CheckResult struct {
 }
 
 // BuildDeviceDetail creates a detailed view model for a single device.
-func BuildDeviceDetail(device *gitmdm.Device) *DeviceDetail {
+// staleThreshold determines which checks to include - zero time means include all.
+func BuildDeviceDetail(device *gitmdm.Device, staleThreshold time.Time) *DeviceDetail {
 	detail := &DeviceDetail{
 		Device:       device,
 		CheckResults: make(map[string]CheckResult),
 	}
 
-	// Filter out checks that are more than 1 hour older than LastSeen
-	staleThreshold := device.LastSeen.Add(-1 * time.Hour)
-
 	// Process all checks
 	for checkName, check := range device.Checks {
-		// Skip stale checks that are too old
-		if !check.Timestamp.IsZero() && check.Timestamp.Before(staleThreshold) {
+		// Skip stale checks only if we have a threshold and the check has a timestamp
+		if !staleThreshold.IsZero() && !check.Timestamp.IsZero() && check.Timestamp.Before(staleThreshold) {
 			continue
 		}
 		var emoji string
@@ -212,7 +210,7 @@ func extractFromSystemInfo(device *gitmdm.Device) (osName, version string) {
 	if osName, osVersion := parseLinuxOutput(output); osName != unknownVersion {
 		return osName, osVersion
 	}
-	if osName, osVersion := parseFreeBSDOutput(output); osName != unknownVersion {
+	if osName, osVersion := parseUnixUnameOutput(output); osName != unknownVersion {
 		return osName, osVersion
 	}
 	if osName, osVersion := parseWindowsOutput(output); osName != unknownVersion {
@@ -309,20 +307,28 @@ func parseLinuxOutput(output string) (osName, version string) {
 	return unknownVersion, unknownVersion
 }
 
-// parseFreeBSDOutput parses FreeBSD freebsd-version output.
-func parseFreeBSDOutput(output string) (osName, version string) {
-	if !strings.Contains(output, "FreeBSD") {
+// parseUnixUnameOutput parses uname -srm output for Unix systems.
+// Example outputs:
+// OpenBSD 7.4 amd64
+// FreeBSD 14.0-RELEASE amd64
+// NetBSD 10.0 amd64
+// DragonFly 6.4-RELEASE x86_64.
+func parseUnixUnameOutput(output string) (osName, version string) {
+	parts := strings.Fields(output)
+	if len(parts) < 2 {
 		return unknownVersion, unknownVersion
 	}
 
-	lines := strings.Split(output, "\n")
-	if len(lines) > 0 {
-		parts := strings.Fields(lines[0])
-		if len(parts) >= 2 {
-			return "FreeBSD", parts[1]
-		}
+	// First field is OS name, second is version
+	osName = parts[0]
+	version = parts[1]
+
+	// Clean up version strings that have -RELEASE, -CURRENT, etc.
+	if idx := strings.Index(version, "-"); idx > 0 {
+		version = version[:idx]
 	}
-	return "FreeBSD", unknownVersion
+
+	return osName, version
 }
 
 // parseWindowsOutput parses Windows systeminfo output.