Fix incorrect STORAGE_ROOT setup; Add installation scripts

Add app uptime and version status in Metrics dashboard
Update docs; Remove unnecessary hardcoded metrics details
2025-12-13 22:26:43 +08:00 · 2025-12-13 16:18:38 +08:00 · 2025-12-13 15:57:13 +08:00 · 2025-12-13 15:33:40 +08:00
10 changed files with 1163 additions and 51 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -185,14 +185,12 @@ def create_ui_app(test_config: Optional[Dict[str, Any]] = None) -> Flask:
 def _configure_cors(app: Flask) -> None:
    origins = app.config.get("CORS_ORIGINS", ["*"])
-    methods = app.config.get("CORS_METHODS", ["GET", "PUT", "POST", "DELETE", "OPTIONS"])
+    methods = app.config.get("CORS_METHODS", ["GET", "PUT", "POST", "DELETE", "OPTIONS", "HEAD"])
-    allow_headers = app.config.get(
+    allow_headers = app.config.get("CORS_ALLOW_HEADERS", ["*"])
-        "CORS_ALLOW_HEADERS",
+    expose_headers = app.config.get("CORS_EXPOSE_HEADERS", ["*"])
        ["Content-Type", "X-Access-Key", "X-Secret-Key", "X-Amz-Date", "X-Amz-SignedHeaders"],
    )
    CORS(
        app,
-        resources={r"/*": {"origins": origins, "methods": methods, "allow_headers": allow_headers}},
+        resources={r"/*": {"origins": origins, "methods": methods, "allow_headers": allow_headers, "expose_headers": expose_headers}},
        supports_credentials=True,
    )
--- a/app/config.py
+++ b/app/config.py
@@ -59,6 +59,7 @@ class AppConfig:
    cors_origins: list[str]
    cors_methods: list[str]
    cors_allow_headers: list[str]
    cors_expose_headers: list[str]
    session_lifetime_days: int
    auth_max_attempts: int
    auth_lockout_minutes: int
@@ -110,19 +111,19 @@ class AppConfig:
        iam_env_override = "IAM_CONFIG" in overrides or "IAM_CONFIG" in os.environ
        bucket_policy_override = "BUCKET_POLICY_PATH" in overrides or "BUCKET_POLICY_PATH" in os.environ
-        default_iam_path = PROJECT_ROOT / "data" / ".myfsio.sys" / "config" / "iam.json"
+        default_iam_path = storage_root / ".myfsio.sys" / "config" / "iam.json"
-        default_bucket_policy_path = PROJECT_ROOT / "data" / ".myfsio.sys" / "config" / "bucket_policies.json"
+        default_bucket_policy_path = storage_root / ".myfsio.sys" / "config" / "bucket_policies.json"
        iam_config_path = Path(_get("IAM_CONFIG", default_iam_path)).resolve()
        bucket_policy_path = Path(_get("BUCKET_POLICY_PATH", default_bucket_policy_path)).resolve()
        iam_config_path = _prepare_config_file(
            iam_config_path,
-            legacy_path=None if iam_env_override else PROJECT_ROOT / "data" / "iam.json",
+            legacy_path=None if iam_env_override else storage_root / "iam.json",
        )
        bucket_policy_path = _prepare_config_file(
            bucket_policy_path,
-            legacy_path=None if bucket_policy_override else PROJECT_ROOT / "data" / "bucket_policies.json",
+            legacy_path=None if bucket_policy_override else storage_root / "bucket_policies.json",
        )
        api_base_url = _get("API_BASE_URL", None)
        if api_base_url:
@@ -133,7 +134,7 @@ class AppConfig:
        enforce_ui_policies = str(_get("UI_ENFORCE_BUCKET_POLICIES", "0")).lower() in {"1", "true", "yes", "on"}
        log_level = str(_get("LOG_LEVEL", "INFO")).upper()
        log_to_file = str(_get("LOG_TO_FILE", "1")).lower() in {"1", "true", "yes", "on"}
-        log_dir = Path(_get("LOG_DIR", PROJECT_ROOT / "logs")).resolve()
+        log_dir = Path(_get("LOG_DIR", storage_root.parent / "logs")).resolve()
        log_dir.mkdir(parents=True, exist_ok=True)
        log_path = log_dir / str(_get("LOG_FILE", "app.log"))
        log_max_bytes = int(_get("LOG_MAX_BYTES", 5 * 1024 * 1024))
@@ -148,18 +149,9 @@ class AppConfig:
            return parts or default
        cors_origins = _csv(str(_get("CORS_ORIGINS", "*")), ["*"])
-        cors_methods = _csv(str(_get("CORS_METHODS", "GET,PUT,POST,DELETE,OPTIONS")), ["GET", "PUT", "POST", "DELETE", "OPTIONS"])
+        cors_methods = _csv(str(_get("CORS_METHODS", "GET,PUT,POST,DELETE,OPTIONS,HEAD")), ["GET", "PUT", "POST", "DELETE", "OPTIONS", "HEAD"])
-        cors_allow_headers = _csv(str(_get("CORS_ALLOW_HEADERS", "Content-Type,X-Access-Key,X-Secret-Key,X-Amz-Algorithm,X-Amz-Credential,X-Amz-Date,X-Amz-Expires,X-Amz-SignedHeaders,X-Amz-Signature")), [
+        cors_allow_headers = _csv(str(_get("CORS_ALLOW_HEADERS", "*")), ["*"])
-            "Content-Type",
+        cors_expose_headers = _csv(str(_get("CORS_EXPOSE_HEADERS", "*")), ["*"])
            "X-Access-Key",
            "X-Secret-Key",
            "X-Amz-Algorithm",
            "X-Amz-Credential",
            "X-Amz-Date",
            "X-Amz-Expires",
            "X-Amz-SignedHeaders",
            "X-Amz-Signature",
        ])
        session_lifetime_days = int(_get("SESSION_LIFETIME_DAYS", 30))
        bucket_stats_cache_ttl = int(_get("BUCKET_STATS_CACHE_TTL", 60))  # Default 60 seconds
@@ -191,6 +183,7 @@ class AppConfig:
                   cors_origins=cors_origins,
                   cors_methods=cors_methods,
                   cors_allow_headers=cors_allow_headers,
                   cors_expose_headers=cors_expose_headers,
                   session_lifetime_days=session_lifetime_days,
                   auth_max_attempts=auth_max_attempts,
                   auth_lockout_minutes=auth_lockout_minutes,
@@ -205,6 +198,102 @@ class AppConfig:
                   kms_keys_path=kms_keys_path,
                   default_encryption_algorithm=default_encryption_algorithm)
    def validate_and_report(self) -> list[str]:
        """Validate configuration and return a list of warnings/issues.
        Call this at startup to detect potential misconfigurations before
        the application fully commits to running.
        """
        issues = []
        # Check if storage_root is writable
        try:
            test_file = self.storage_root / ".write_test"
            test_file.touch()
            test_file.unlink()
        except (OSError, PermissionError) as e:
            issues.append(f"CRITICAL: STORAGE_ROOT '{self.storage_root}' is not writable: {e}")
        # Check if storage_root looks like a temp directory
        storage_str = str(self.storage_root).lower()
        if "/tmp" in storage_str or "\\temp" in storage_str or "appdata\\local\\temp" in storage_str:
            issues.append(f"WARNING: STORAGE_ROOT '{self.storage_root}' appears to be a temporary directory. Data may be lost on reboot!")
        # Check if IAM config path is under storage_root
        try:
            self.iam_config_path.relative_to(self.storage_root)
        except ValueError:
            issues.append(f"WARNING: IAM_CONFIG '{self.iam_config_path}' is outside STORAGE_ROOT '{self.storage_root}'. Consider setting IAM_CONFIG explicitly or ensuring paths are aligned.")
        # Check if bucket policy path is under storage_root
        try:
            self.bucket_policy_path.relative_to(self.storage_root)
        except ValueError:
            issues.append(f"WARNING: BUCKET_POLICY_PATH '{self.bucket_policy_path}' is outside STORAGE_ROOT '{self.storage_root}'. Consider setting BUCKET_POLICY_PATH explicitly.")
        # Check if log path is writable
        try:
            self.log_path.parent.mkdir(parents=True, exist_ok=True)
            test_log = self.log_path.parent / ".write_test"
            test_log.touch()
            test_log.unlink()
        except (OSError, PermissionError) as e:
            issues.append(f"WARNING: Log directory '{self.log_path.parent}' is not writable: {e}")
        # Check log path location
        log_str = str(self.log_path).lower()
        if "/tmp" in log_str or "\\temp" in log_str or "appdata\\local\\temp" in log_str:
            issues.append(f"WARNING: LOG_DIR '{self.log_path.parent}' appears to be a temporary directory. Logs may be lost on reboot!")
        # Check if encryption keys path is under storage_root (when encryption is enabled)
        if self.encryption_enabled:
            try:
                self.encryption_master_key_path.relative_to(self.storage_root)
            except ValueError:
                issues.append(f"WARNING: ENCRYPTION_MASTER_KEY_PATH '{self.encryption_master_key_path}' is outside STORAGE_ROOT. Ensure proper backup procedures.")
        # Check if KMS keys path is under storage_root (when KMS is enabled)
        if self.kms_enabled:
            try:
                self.kms_keys_path.relative_to(self.storage_root)
            except ValueError:
                issues.append(f"WARNING: KMS_KEYS_PATH '{self.kms_keys_path}' is outside STORAGE_ROOT. Ensure proper backup procedures.")
        # Warn about production settings
        if self.secret_key == "dev-secret-key":
            issues.append("WARNING: Using default SECRET_KEY. Set SECRET_KEY environment variable for production.")
        if "*" in self.cors_origins:
            issues.append("INFO: CORS_ORIGINS is set to '*'. Consider restricting to specific domains in production.")
        return issues
    def print_startup_summary(self) -> None:
        """Print a summary of the configuration at startup."""
        print("\n" + "=" * 60)
        print("MyFSIO Configuration Summary")
        print("=" * 60)
        print(f"  STORAGE_ROOT:     {self.storage_root}")
        print(f"  IAM_CONFIG:       {self.iam_config_path}")
        print(f"  BUCKET_POLICY:    {self.bucket_policy_path}")
        print(f"  LOG_PATH:         {self.log_path}")
        if self.api_base_url:
            print(f"  API_BASE_URL:     {self.api_base_url}")
        if self.encryption_enabled:
            print(f"  ENCRYPTION:       Enabled (Master key: {self.encryption_master_key_path})")
        if self.kms_enabled:
            print(f"  KMS:              Enabled (Keys: {self.kms_keys_path})")
        print("=" * 60)
        issues = self.validate_and_report()
        if issues:
            print("\nConfiguration Issues Detected:")
            for issue in issues:
                print(f"  • {issue}")
            print()
        else:
            print("  ✓ Configuration validated successfully\n")
    def to_flask_config(self) -> Dict[str, Any]:
        return {
            "STORAGE_ROOT": str(self.storage_root),
@@ -234,6 +323,7 @@ class AppConfig:
            "CORS_ORIGINS": self.cors_origins,
            "CORS_METHODS": self.cors_methods,
            "CORS_ALLOW_HEADERS": self.cors_allow_headers,
            "CORS_EXPOSE_HEADERS": self.cors_expose_headers,
            "SESSION_LIFETIME_DAYS": self.session_lifetime_days,
            "ENCRYPTION_ENABLED": self.encryption_enabled,
            "ENCRYPTION_MASTER_KEY_PATH": str(self.encryption_master_key_path),
--- a/app/ui.py
+++ b/app/ui.py
@@ -1505,6 +1505,9 @@ def metrics_dashboard():
        flash("Access denied: Metrics require admin permissions", "danger")
        return redirect(url_for("ui.buckets_overview"))
    from app.version import APP_VERSION
    import time
    cpu_percent = psutil.cpu_percent(interval=0.1)
    memory = psutil.virtual_memory()
@@ -1527,6 +1530,11 @@ def metrics_dashboard():
        total_objects += stats.get("total_objects", stats.get("objects", 0))
        total_bytes_used += stats.get("total_bytes", stats.get("bytes", 0))
        total_versions += stats.get("version_count", 0)
    # Calculate system uptime
    boot_time = psutil.boot_time()
    uptime_seconds = time.time() - boot_time
    uptime_days = int(uptime_seconds / 86400)
    return render_template(
        "metrics.html",
@@ -1550,6 +1558,8 @@ def metrics_dashboard():
            "versions": total_versions,
            "storage_used": _format_bytes(total_bytes_used),
            "storage_raw": total_bytes_used,
            "version": APP_VERSION,
            "uptime_days": uptime_days,
        }
    )
--- a/app/version.py
+++ b/app/version.py
@@ -1,7 +1,7 @@
 """Central location for the application version string."""
 from __future__ import annotations
-APP_VERSION = "0.1.3"
+APP_VERSION = "0.1.5"
 def get_version() -> str:
--- a/docs.md
+++ b/docs.md
@@ -33,6 +33,63 @@ python run.py --mode api   # API only (port 5000)
 python run.py --mode ui    # UI only (port 5100)
 ```
 ### Configuration validation
 Validate your configuration before deploying:
 ```bash
 # Show configuration summary
 python run.py --show-config
 ./myfsio --show-config
 # Validate and check for issues (exits with code 1 if critical issues found)
 python run.py --check-config
 ./myfsio --check-config
 ```
 ### Linux Installation (Recommended for Production)
 For production deployments on Linux, use the provided installation script:
 ```bash
 # Download the binary and install script
 # Then run the installer with sudo:
 sudo ./scripts/install.sh --binary ./myfsio
 # Or with custom paths:
 sudo ./scripts/install.sh \
  --binary ./myfsio \
  --install-dir /opt/myfsio \
  --data-dir /mnt/storage/myfsio \
  --log-dir /var/log/myfsio \
  --api-url https://s3.example.com \
  --user myfsio
 # Non-interactive mode (for automation):
 sudo ./scripts/install.sh --binary ./myfsio -y
 ```
 The installer will:
 1. Create a dedicated system user
 2. Set up directories with proper permissions
 3. Generate a secure `SECRET_KEY`
 4. Create an environment file at `/opt/myfsio/myfsio.env`
 5. Install and configure a systemd service
 After installation:
 ```bash
 sudo systemctl start myfsio    # Start the service
 sudo systemctl enable myfsio   # Enable on boot
 sudo systemctl status myfsio   # Check status
 sudo journalctl -u myfsio -f   # View logs
 ```
 To uninstall:
 ```bash
 sudo ./scripts/uninstall.sh              # Full removal
 sudo ./scripts/uninstall.sh --keep-data  # Keep data directory
 ```
 ### Docker quickstart
 The repo now ships a `Dockerfile` so you can run both services in one container:
@@ -69,23 +126,97 @@ The repo now tracks a human-friendly release string inside `app/version.py` (see
 ## 3. Configuration Reference
 All configuration is done via environment variables. The table below lists every supported variable.
 ### Core Settings
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `STORAGE_ROOT` | `<repo>/data` | Filesystem home for all buckets/objects. |
-| `MAX_UPLOAD_SIZE` | `1073741824` | Bytes. Caps incoming uploads in both API + UI. |
+| `MAX_UPLOAD_SIZE` | `1073741824` (1 GiB) | Bytes. Caps incoming uploads in both API + UI. |
 | `UI_PAGE_SIZE` | `100` | `MaxKeys` hint shown in listings. |
-| `SECRET_KEY` | `dev-secret-key` | Flask session key for UI auth. |
+| `SECRET_KEY` | Auto-generated | Flask session key. Auto-generates and persists if not set. **Set explicitly in production.** |
-| `IAM_CONFIG` | `<repo>/data/.myfsio.sys/config/iam.json` | Stores users, secrets, and inline policies. |
+| `API_BASE_URL` | `None` | Public URL for presigned URLs. Required behind proxies. |
 | `BUCKET_POLICY_PATH` | `<repo>/data/.myfsio.sys/config/bucket_policies.json` | Bucket policy store (auto hot-reload). |
 | `API_BASE_URL` | `None` | Used by the UI to hit API endpoints (presign/policy). If unset, the UI will auto-detect the host or use `X-Forwarded-*` headers. |
 | `AWS_REGION` | `us-east-1` | Region embedded in SigV4 credential scope. |
 | `AWS_SERVICE` | `s3` | Service string for SigV4. |
 | `ENCRYPTION_ENABLED` | `false` | Enable server-side encryption support. |
 | `KMS_ENABLED` | `false` | Enable KMS key management for encryption. |
 | `KMS_KEYS_PATH` | `data/kms_keys.json` | Path to store KMS key metadata. |
 | `ENCRYPTION_MASTER_KEY_PATH` | `data/master.key` | Path to the master encryption key file. |
-Set env vars (or pass overrides to `create_app`) to point the servers at custom paths.
+### IAM & Security
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `IAM_CONFIG` | `data/.myfsio.sys/config/iam.json` | Stores users, secrets, and inline policies. |
 | `BUCKET_POLICY_PATH` | `data/.myfsio.sys/config/bucket_policies.json` | Bucket policy store (auto hot-reload). |
 | `AUTH_MAX_ATTEMPTS` | `5` | Failed login attempts before lockout. |
 | `AUTH_LOCKOUT_MINUTES` | `15` | Lockout duration after max failed attempts. |
 | `SESSION_LIFETIME_DAYS` | `30` | How long UI sessions remain valid. |
 | `SECRET_TTL_SECONDS` | `300` | TTL for ephemeral secrets (presigned URLs). |
 | `UI_ENFORCE_BUCKET_POLICIES` | `false` | Whether the UI should enforce bucket policies. |
 ### CORS (Cross-Origin Resource Sharing)
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `CORS_ORIGINS` | `*` | Comma-separated allowed origins. Use specific domains in production. |
 | `CORS_METHODS` | `GET,PUT,POST,DELETE,OPTIONS,HEAD` | Allowed HTTP methods. |
 | `CORS_ALLOW_HEADERS` | `*` | Allowed request headers. |
 | `CORS_EXPOSE_HEADERS` | `*` | Response headers visible to browsers (e.g., `ETag`). |
 ### Rate Limiting
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `RATE_LIMIT_DEFAULT` | `200 per minute` | Default rate limit for API endpoints. |
 | `RATE_LIMIT_STORAGE_URI` | `memory://` | Storage backend for rate limits. Use `redis://host:port` for distributed setups. |
 ### Logging
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `LOG_LEVEL` | `INFO` | Log verbosity: `DEBUG`, `INFO`, `WARNING`, `ERROR`. |
 | `LOG_TO_FILE` | `true` | Enable file logging. |
 | `LOG_DIR` | `<repo>/logs` | Directory for log files. |
 | `LOG_FILE` | `app.log` | Log filename. |
 | `LOG_MAX_BYTES` | `5242880` (5 MB) | Max log file size before rotation. |
 | `LOG_BACKUP_COUNT` | `3` | Number of rotated log files to keep. |
 ### Encryption
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `ENCRYPTION_ENABLED` | `false` | Enable server-side encryption support. |
 | `ENCRYPTION_MASTER_KEY_PATH` | `data/.myfsio.sys/keys/master.key` | Path to the master encryption key file. |
 | `DEFAULT_ENCRYPTION_ALGORITHM` | `AES256` | Default algorithm for new encrypted objects. |
 | `KMS_ENABLED` | `false` | Enable KMS key management for encryption. |
 | `KMS_KEYS_PATH` | `data/.myfsio.sys/keys/kms_keys.json` | Path to store KMS key metadata. |
 ### Performance Tuning
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `STREAM_CHUNK_SIZE` | `65536` (64 KB) | Chunk size for streaming large files. |
 | `MULTIPART_MIN_PART_SIZE` | `5242880` (5 MB) | Minimum part size for multipart uploads. |
 | `BUCKET_STATS_CACHE_TTL` | `60` | Seconds to cache bucket statistics. |
 | `BULK_DELETE_MAX_KEYS` | `500` | Maximum keys per bulk delete request. |
 ### Server Settings
 | Variable | Default | Notes |
 | --- | --- | --- |
 | `APP_HOST` | `0.0.0.0` | Network interface to bind to. |
 | `APP_PORT` | `5000` | API server port (UI uses 5100). |
 | `FLASK_DEBUG` | `0` | Enable Flask debug mode. **Never enable in production.** |
 ### Production Checklist
 Before deploying to production, ensure you:
 1. **Set `SECRET_KEY`** - Use a strong, unique value (e.g., `openssl rand -base64 32`)
 2. **Restrict CORS** - Set `CORS_ORIGINS` to your specific domains instead of `*`
 3. **Configure `API_BASE_URL`** - Required for correct presigned URLs behind proxies
 4. **Enable HTTPS** - Use a reverse proxy (nginx, Cloudflare) with TLS termination
 5. **Review rate limits** - Adjust `RATE_LIMIT_DEFAULT` based on your needs
 6. **Secure master keys** - Back up `ENCRYPTION_MASTER_KEY_PATH` if using encryption
 7. **Use `--prod` flag** - Runs with Waitress instead of Flask dev server
 ### Proxy Configuration
@@ -95,6 +226,333 @@ If running behind a reverse proxy (e.g., Nginx, Cloudflare, or a tunnel), ensure
 The application automatically trusts these headers to generate correct presigned URLs (e.g., `https://s3.example.com/...` instead of `http://127.0.0.1:5000/...`). Alternatively, you can explicitly set `API_BASE_URL` to your public endpoint.
 ## 4. Upgrading and Updates
 ### Version Checking
 The application version is tracked in `app/version.py` and exposed via:
 - **Health endpoint:** `GET /healthz` returns JSON with `version` field
 - **Metrics dashboard:** Navigate to `/ui/metrics` to see the running version in the System Status card
 To check your current version:
 ```bash
 # API health endpoint
 curl http://localhost:5000/healthz
 # Or inspect version.py directly
 cat app/version.py | grep APP_VERSION
 ```
 ### Pre-Update Backup Procedures
 **Always backup before upgrading to prevent data loss:**
 ```bash
 # 1. Stop the application
 # Ctrl+C if running in terminal, or:
 docker stop myfsio  # if using Docker
 # 2. Backup configuration files (CRITICAL)
 mkdir -p backups/$(date +%Y%m%d_%H%M%S)
 cp -r data/.myfsio.sys/config backups/$(date +%Y%m%d_%H%M%S)/
 # 3. Backup all data (optional but recommended)
 tar -czf backups/data_$(date +%Y%m%d_%H%M%S).tar.gz data/
 # 4. Backup logs for audit trail
 cp -r logs backups/$(date +%Y%m%d_%H%M%S)/
 ```
 **Windows PowerShell:**
 ```powershell
 # Create timestamped backup
 $timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
 New-Item -ItemType Directory -Path "backups\$timestamp" -Force
 # Backup configs
 Copy-Item -Recurse "data\.myfsio.sys\config" "backups\$timestamp\"
 # Backup entire data directory
 Compress-Archive -Path "data\" -DestinationPath "backups\data_$timestamp.zip"
 ```
 **Critical files to backup:**
 - `data/.myfsio.sys/config/iam.json` – User accounts and access keys
 - `data/.myfsio.sys/config/bucket_policies.json` – Bucket access policies
 - `data/.myfsio.sys/config/kms_keys.json` – Encryption keys (if using KMS)
 - `data/.myfsio.sys/config/secret_store.json` – Application secrets
 ### Update Procedures
 #### Source Installation Updates
 ```bash
 # 1. Backup (see above)
 # 2. Pull latest code
 git fetch origin
 git checkout main  # or your target branch/tag
 git pull
 # 3. Check for dependency changes
 pip install -r requirements.txt
 # 4. Review CHANGELOG/release notes for breaking changes
 cat CHANGELOG.md  # if available
 # 5. Run migration scripts (if any)
 # python scripts/migrate_vX_to_vY.py  # example
 # 6. Restart application
 python run.py
 ```
 #### Docker Updates
 ```bash
 # 1. Backup (see above)
 # 2. Pull/rebuild image
 docker pull yourregistry/myfsio:latest
 # OR rebuild from source:
 docker build -t myfsio:latest .
 # 3. Stop and remove old container
 docker stop myfsio
 docker rm myfsio
 # 4. Start new container with same volumes
 docker run -d \
  --name myfsio \
  -p 5000:5000 -p 5100:5100 \
  -v "$(pwd)/data:/app/data" \
  -v "$(pwd)/logs:/app/logs" \
  -e SECRET_KEY="your-secret" \
  myfsio:latest
 # 5. Verify health
 curl http://localhost:5000/healthz
 ```
 ### Version Compatibility Checks
 Before upgrading across major versions, verify compatibility:
 | From Version | To Version | Breaking Changes | Migration Required |
 |--------------|------------|------------------|-------------------|
 | 0.1.x | 0.2.x | None expected | No |
 | < 0.1.0 | >= 0.1.0 | New IAM config format | Yes - run migration script |
 **Automatic compatibility detection:**
 The application will log warnings on startup if config files need migration:
 ```
 WARNING: IAM config format is outdated (v1). Please run: python scripts/migrate_iam.py
 ```
 **Manual compatibility check:**
 ```bash
 # Compare version schemas
 python -c "from app.version import APP_VERSION; print(f'Running: {APP_VERSION}')"
 python scripts/check_compatibility.py data/.myfsio.sys/config/
 ```
 ### Migration Steps for Breaking Changes
 When release notes indicate breaking changes, follow these steps:
 #### Config Format Migrations
 ```bash
 # 1. Backup first (critical!)
 cp data/.myfsio.sys/config/iam.json data/.myfsio.sys/config/iam.json.backup
 # 2. Run provided migration script
 python scripts/migrate_iam_v1_to_v2.py
 # 3. Validate migration
 python scripts/validate_config.py
 # 4. Test with read-only mode first (if available)
 # python run.py --read-only
 # 5. Restart normally
 python run.py
 ```
 #### Database/Storage Schema Changes
 If object metadata format changes:
 ```bash
 # 1. Run storage migration script
 python scripts/migrate_storage.py --dry-run  # preview changes
 # 2. Apply migration
 python scripts/migrate_storage.py --apply
 # 3. Verify integrity
 python scripts/verify_storage.py
 ```
 #### IAM Policy Updates
 If IAM action names change (e.g., `s3:Get` → `s3:GetObject`):
 ```bash
 # Migration script will update all policies
 python scripts/migrate_policies.py \
  --input data/.myfsio.sys/config/iam.json \
  --backup data/.myfsio.sys/config/iam.json.v1
 # Review changes before committing
 python scripts/diff_policies.py \
  data/.myfsio.sys/config/iam.json.v1 \
  data/.myfsio.sys/config/iam.json
 ```
 ### Rollback Procedures
 If an update causes issues, rollback to the previous version:
 #### Quick Rollback (Source)
 ```bash
 # 1. Stop application
 # Ctrl+C or kill process
 # 2. Revert code
 git checkout <previous-version-tag>
 # OR
 git reset --hard HEAD~1
 # 3. Restore configs from backup
 cp backups/20241213_103000/config/* data/.myfsio.sys/config/
 # 4. Downgrade dependencies if needed
 pip install -r requirements.txt
 # 5. Restart
 python run.py
 ```
 #### Docker Rollback
 ```bash
 # 1. Stop current container
 docker stop myfsio
 docker rm myfsio
 # 2. Start previous version
 docker run -d \
  --name myfsio \
  -p 5000:5000 -p 5100:5100 \
  -v "$(pwd)/data:/app/data" \
  -v "$(pwd)/logs:/app/logs" \
  -e SECRET_KEY="your-secret" \
  myfsio:0.1.3  # specify previous version tag
 # 3. Verify
 curl http://localhost:5000/healthz
 ```
 #### Emergency Config Restore
 If only config is corrupted but code is fine:
 ```bash
 # Stop app
 # Restore from latest backup
 cp backups/20241213_103000/config/iam.json data/.myfsio.sys/config/
 cp backups/20241213_103000/config/bucket_policies.json data/.myfsio.sys/config/
 # Restart app
 python run.py
 ```
 ### Blue-Green Deployment (Zero Downtime)
 For production environments requiring zero downtime:
 ```bash
 # 1. Run new version on different port (e.g., 5001/5101)
 APP_PORT=5001 UI_PORT=5101 python run.py &
 # 2. Health check new instance
 curl http://localhost:5001/healthz
 # 3. Update load balancer to route to new ports
 # 4. Monitor for issues
 # 5. Gracefully stop old instance
 kill -SIGTERM <old-pid>
 ```
 ### Post-Update Verification
 After any update, verify functionality:
 ```bash
 # 1. Health check
 curl http://localhost:5000/healthz
 # 2. Login to UI
 open http://localhost:5100/ui
 # 3. Test IAM authentication
 curl -H "X-Amz-Security-Token: <your-access-key>:<your-secret>" \
  http://localhost:5000/
 # 4. Test presigned URL generation
 # Via UI or API
 # 5. Check logs for errors
 tail -n 100 logs/myfsio.log
 ```
 ### Automated Update Scripts
 Create a custom update script for your environment:
 ```bash
 #!/bin/bash
 # update.sh - Automated update with rollback capability
 set -e  # Exit on error
 VERSION_NEW="$1"
 BACKUP_DIR="backups/$(date +%Y%m%d_%H%M%S)"
 echo "Creating backup..."
 mkdir -p "$BACKUP_DIR"
 cp -r data/.myfsio.sys/config "$BACKUP_DIR/"
 echo "Updating to version $VERSION_NEW..."
 git fetch origin
 git checkout "v$VERSION_NEW"
 pip install -r requirements.txt
 echo "Starting application..."
 python run.py &
 APP_PID=$!
 # Wait and health check
 sleep 5
 if curl -f http://localhost:5000/healthz; then
  echo "Update successful!"
 else
  echo "Health check failed, rolling back..."
  kill $APP_PID
  git checkout -
  cp -r "$BACKUP_DIR/config/*" data/.myfsio.sys/config/
  python run.py &
  exit 1
 fi
 ```
 ## 4. Authentication & IAM
 1. On first boot, `data/.myfsio.sys/config/iam.json` is seeded with `localadmin / localadmin` that has wildcard access.
@@ -577,9 +1035,3 @@ DELETE /bucket-policy/<bucket>          # Delete policy
 GET    /<bucket>?quota                  # Get bucket quota
 PUT    /<bucket>?quota                  # Set bucket quota (admin only)
 ```
 ## 14. Next Steps
 - Tailor IAM + policy JSON files for team-ready presets.
 - Wrap `run_api.py` with gunicorn or another WSGI server for long-running workloads.
 - Extend `bucket_policies.json` to cover Deny statements that simulate production security controls.
--- a/run.py
+++ b/run.py
@@ -8,6 +8,7 @@ import warnings
 from multiprocessing import Process
 from app import create_api_app, create_ui_app
 from app.config import AppConfig
 def _server_host() -> str:
@@ -55,12 +56,48 @@ if __name__ == "__main__":
    parser.add_argument("--ui-port", type=int, default=5100)
    parser.add_argument("--prod", action="store_true", help="Run in production mode using Waitress")
    parser.add_argument("--dev", action="store_true", help="Force development mode (Flask dev server)")
    parser.add_argument("--check-config", action="store_true", help="Validate configuration and exit")
    parser.add_argument("--show-config", action="store_true", help="Show configuration summary and exit")
    args = parser.parse_args()
    # Handle config check/show modes
    if args.check_config or args.show_config:
        config = AppConfig.from_env()
        config.print_startup_summary()
        if args.check_config:
            issues = config.validate_and_report()
            critical = [i for i in issues if i.startswith("CRITICAL:")]
            sys.exit(1 if critical else 0)
        sys.exit(0)
    # Default to production mode when running as compiled binary
    # unless --dev is explicitly passed
    prod_mode = args.prod or (_is_frozen() and not args.dev)
    # Validate configuration before starting
    config = AppConfig.from_env()
    # Show startup summary only on first run (when marker file doesn't exist)
    first_run_marker = config.storage_root / ".myfsio.sys" / ".initialized"
    is_first_run = not first_run_marker.exists()
    if is_first_run:
        config.print_startup_summary()
        # Check for critical issues that should prevent startup
        issues = config.validate_and_report()
        critical_issues = [i for i in issues if i.startswith("CRITICAL:")]
        if critical_issues:
            print("ABORTING: Critical configuration issues detected. Fix them before starting.")
            sys.exit(1)
        # Create the marker file to indicate successful first run
        try:
            first_run_marker.parent.mkdir(parents=True, exist_ok=True)
            first_run_marker.write_text(f"Initialized on {__import__('datetime').datetime.now().isoformat()}\n")
        except OSError:
            pass  # Non-critical, just skip marker creation
    if prod_mode:
        print("Running in production mode (Waitress)")
    else:
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -0,0 +1,292 @@
 #!/bin/bash
 #
 # MyFSIO Installation Script
 # This script sets up MyFSIO for production use on Linux systems.
 #
 # Usage:
 #   curl -fsSL https://example.com/install.sh | bash
 #   OR
 #   ./install.sh [OPTIONS]
 #
 # Options:
 #   --install-dir DIR    Installation directory (default: /opt/myfsio)
 #   --data-dir DIR       Data directory (default: /var/lib/myfsio)
 #   --log-dir DIR        Log directory (default: /var/log/myfsio)
 #   --user USER          System user to run as (default: myfsio)
 #   --port PORT          API port (default: 5000)
 #   --ui-port PORT       UI port (default: 5100)
 #   --api-url URL        Public API URL (for presigned URLs behind proxy)
 #   --no-systemd         Skip systemd service creation
 #   --binary PATH        Path to myfsio binary (will download if not provided)
 #   -y, --yes            Skip confirmation prompts
 #
 set -e
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Default values
 INSTALL_DIR="/opt/myfsio"
 DATA_DIR="/var/lib/myfsio"
 LOG_DIR="/var/log/myfsio"
 SERVICE_USER="myfsio"
 API_PORT="5000"
 UI_PORT="5100"
 API_URL=""
 SKIP_SYSTEMD=false
 BINARY_PATH=""
 AUTO_YES=false
 # Parse arguments
 while [[ $# -gt 0 ]]; do
    case $1 in
        --install-dir)
            INSTALL_DIR="$2"
            shift 2
            ;;
        --data-dir)
            DATA_DIR="$2"
            shift 2
            ;;
        --log-dir)
            LOG_DIR="$2"
            shift 2
            ;;
        --user)
            SERVICE_USER="$2"
            shift 2
            ;;
        --port)
            API_PORT="$2"
            shift 2
            ;;
        --ui-port)
            UI_PORT="$2"
            shift 2
            ;;
        --api-url)
            API_URL="$2"
            shift 2
            ;;
        --no-systemd)
            SKIP_SYSTEMD=true
            shift
            ;;
        --binary)
            BINARY_PATH="$2"
            shift 2
            ;;
        -y|--yes)
            AUTO_YES=true
            shift
            ;;
        -h|--help)
            head -30 "$0" | tail -25
            exit 0
            ;;
        *)
            echo -e "${RED}Unknown option: $1${NC}"
            exit 1
            ;;
    esac
 done
 echo -e "${BLUE}"
 echo "╔══════════════════════════════════════════════════════════╗"
 echo "║                  MyFSIO Installation                     ║"
 echo "║           S3-Compatible Object Storage                   ║"
 echo "╚══════════════════════════════════════════════════════════╝"
 echo -e "${NC}"
 # Check if running as root
 if [[ $EUID -ne 0 ]]; then
    echo -e "${RED}Error: This script must be run as root (use sudo)${NC}"
    exit 1
 fi
 # Display configuration
 echo -e "${YELLOW}Installation Configuration:${NC}"
 echo "  Install directory:  $INSTALL_DIR"
 echo "  Data directory:     $DATA_DIR"
 echo "  Log directory:      $LOG_DIR"
 echo "  Service user:       $SERVICE_USER"
 echo "  API port:           $API_PORT"
 echo "  UI port:            $UI_PORT"
 if [[ -n "$API_URL" ]]; then
    echo "  Public API URL:     $API_URL"
 fi
 if [[ -n "$BINARY_PATH" ]]; then
    echo "  Binary path:        $BINARY_PATH"
 fi
 echo ""
 # Confirm installation
 if [[ "$AUTO_YES" != true ]]; then
    read -p "Proceed with installation? [y/N] " -n 1 -r
    echo
    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
        echo "Installation cancelled."
        exit 0
    fi
 fi
 echo ""
 echo -e "${GREEN}[1/7]${NC} Creating system user..."
 if id "$SERVICE_USER" &>/dev/null; then
    echo "  User '$SERVICE_USER' already exists"
 else
    useradd --system --no-create-home --shell /usr/sbin/nologin "$SERVICE_USER"
    echo "  Created user '$SERVICE_USER'"
 fi
 echo -e "${GREEN}[2/7]${NC} Creating directories..."
 mkdir -p "$INSTALL_DIR"
 mkdir -p "$DATA_DIR"
 mkdir -p "$LOG_DIR"
 echo "  Created $INSTALL_DIR"
 echo "  Created $DATA_DIR"
 echo "  Created $LOG_DIR"
 echo -e "${GREEN}[3/7]${NC} Installing binary..."
 if [[ -n "$BINARY_PATH" ]]; then
    if [[ -f "$BINARY_PATH" ]]; then
        cp "$BINARY_PATH" "$INSTALL_DIR/myfsio"
        echo "  Copied binary from $BINARY_PATH"
    else
        echo -e "${RED}Error: Binary not found at $BINARY_PATH${NC}"
        exit 1
    fi
 elif [[ -f "./myfsio" ]]; then
    cp "./myfsio" "$INSTALL_DIR/myfsio"
    echo "  Copied binary from ./myfsio"
 else
    echo -e "${RED}Error: No binary provided. Use --binary PATH or place 'myfsio' in current directory${NC}"
    exit 1
 fi
 chmod +x "$INSTALL_DIR/myfsio"
 echo -e "${GREEN}[4/7]${NC} Generating secret key..."
 SECRET_KEY=$(openssl rand -base64 32)
 echo "  Generated secure SECRET_KEY"
 echo -e "${GREEN}[5/7]${NC} Creating environment file..."
 cat > "$INSTALL_DIR/myfsio.env" << EOF
 # MyFSIO Configuration
 # Generated by install.sh on $(date)
 # Storage paths
 STORAGE_ROOT=$DATA_DIR
 LOG_DIR=$LOG_DIR
 # Network
 APP_HOST=0.0.0.0
 APP_PORT=$API_PORT
 # Security - CHANGE IN PRODUCTION
 SECRET_KEY=$SECRET_KEY
 CORS_ORIGINS=*
 # Public URL (set this if behind a reverse proxy)
 $(if [[ -n "$API_URL" ]]; then echo "API_BASE_URL=$API_URL"; else echo "# API_BASE_URL=https://s3.example.com"; fi)
 # Logging
 LOG_LEVEL=INFO
 LOG_TO_FILE=true
 # Rate limiting
 RATE_LIMIT_DEFAULT=200 per minute
 # Optional: Encryption (uncomment to enable)
 # ENCRYPTION_ENABLED=true
 # KMS_ENABLED=true
 EOF
 chmod 600 "$INSTALL_DIR/myfsio.env"
 echo "  Created $INSTALL_DIR/myfsio.env"
 echo -e "${GREEN}[6/7]${NC} Setting permissions..."
 chown -R "$SERVICE_USER:$SERVICE_USER" "$INSTALL_DIR"
 chown -R "$SERVICE_USER:$SERVICE_USER" "$DATA_DIR"
 chown -R "$SERVICE_USER:$SERVICE_USER" "$LOG_DIR"
 echo "  Set ownership to $SERVICE_USER"
 if [[ "$SKIP_SYSTEMD" != true ]]; then
    echo -e "${GREEN}[7/7]${NC} Creating systemd service..."
    cat > /etc/systemd/system/myfsio.service << EOF
 [Unit]
 Description=MyFSIO S3-Compatible Storage
 Documentation=https://github.com/yourusername/myfsio
 After=network.target
 [Service]
 Type=simple
 User=$SERVICE_USER
 Group=$SERVICE_USER
 WorkingDirectory=$INSTALL_DIR
 EnvironmentFile=$INSTALL_DIR/myfsio.env
 ExecStart=$INSTALL_DIR/myfsio
 Restart=on-failure
 RestartSec=5
 # Security hardening
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true
 ReadWritePaths=$DATA_DIR $LOG_DIR
 PrivateTmp=true
 # Resource limits (adjust as needed)
 # LimitNOFILE=65535
 # MemoryMax=2G
 [Install]
 WantedBy=multi-user.target
 EOF
    systemctl daemon-reload
    echo "  Created /etc/systemd/system/myfsio.service"
 else
    echo -e "${GREEN}[7/7]${NC} Skipping systemd service (--no-systemd)"
 fi
 echo ""
 echo -e "${GREEN}╔══════════════════════════════════════════════════════════╗${NC}"
 echo -e "${GREEN}║              Installation Complete!                      ║${NC}"
 echo -e "${GREEN}╚══════════════════════════════════════════════════════════╝${NC}"
 echo ""
 echo -e "${YELLOW}Next steps:${NC}"
 echo ""
 echo "  1. Review configuration:"
 echo "     ${BLUE}cat $INSTALL_DIR/myfsio.env${NC}"
 echo ""
 echo "  2. Start the service:"
 echo "     ${BLUE}sudo systemctl start myfsio${NC}"
 echo ""
 echo "  3. Enable on boot:"
 echo "     ${BLUE}sudo systemctl enable myfsio${NC}"
 echo ""
 echo "  4. Check status:"
 echo "     ${BLUE}sudo systemctl status myfsio${NC}"
 echo ""
 echo "  5. View logs:"
 echo "     ${BLUE}sudo journalctl -u myfsio -f${NC}"
 echo "     ${BLUE}tail -f $LOG_DIR/app.log${NC}"
 echo ""
 echo -e "${YELLOW}Access:${NC}"
 echo "  API:  http://$(hostname -I | awk '{print $1}'):$API_PORT"
 echo "  UI:   http://$(hostname -I | awk '{print $1}'):$UI_PORT/ui"
 echo ""
 echo -e "${YELLOW}Default credentials:${NC}"
 echo "  Username: localadmin"
 echo "  Password: localadmin"
 echo -e "  ${RED}⚠ Change these immediately after first login!${NC}"
 echo ""
 echo -e "${YELLOW}Configuration files:${NC}"
 echo "  Environment:     $INSTALL_DIR/myfsio.env"
 echo "  IAM Users:       $DATA_DIR/.myfsio.sys/config/iam.json"
 echo "  Bucket Policies: $DATA_DIR/.myfsio.sys/config/bucket_policies.json"
 echo ""
--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@@ -0,0 +1,174 @@
 #!/bin/bash
 #
 # MyFSIO Uninstall Script
 # This script removes MyFSIO from your system.
 #
 # Usage:
 #   ./uninstall.sh [OPTIONS]
 #
 # Options:
 #   --keep-data         Don't remove data directory
 #   --keep-logs         Don't remove log directory
 #   --install-dir DIR   Installation directory (default: /opt/myfsio)
 #   --data-dir DIR      Data directory (default: /var/lib/myfsio)
 #   --log-dir DIR       Log directory (default: /var/log/myfsio)
 #   --user USER         System user (default: myfsio)
 #   -y, --yes           Skip confirmation prompts
 #
 set -e
 # Colors
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 NC='\033[0m'
 # Default values
 INSTALL_DIR="/opt/myfsio"
 DATA_DIR="/var/lib/myfsio"
 LOG_DIR="/var/log/myfsio"
 SERVICE_USER="myfsio"
 KEEP_DATA=false
 KEEP_LOGS=false
 AUTO_YES=false
 # Parse arguments
 while [[ $# -gt 0 ]]; do
    case $1 in
        --keep-data)
            KEEP_DATA=true
            shift
            ;;
        --keep-logs)
            KEEP_LOGS=true
            shift
            ;;
        --install-dir)
            INSTALL_DIR="$2"
            shift 2
            ;;
        --data-dir)
            DATA_DIR="$2"
            shift 2
            ;;
        --log-dir)
            LOG_DIR="$2"
            shift 2
            ;;
        --user)
            SERVICE_USER="$2"
            shift 2
            ;;
        -y|--yes)
            AUTO_YES=true
            shift
            ;;
        -h|--help)
            head -20 "$0" | tail -15
            exit 0
            ;;
        *)
            echo -e "${RED}Unknown option: $1${NC}"
            exit 1
            ;;
    esac
 done
 echo -e "${RED}"
 echo "╔══════════════════════════════════════════════════════════╗"
 echo "║                 MyFSIO Uninstallation                    ║"
 echo "╚══════════════════════════════════════════════════════════╝"
 echo -e "${NC}"
 # Check if running as root
 if [[ $EUID -ne 0 ]]; then
    echo -e "${RED}Error: This script must be run as root (use sudo)${NC}"
    exit 1
 fi
 echo -e "${YELLOW}The following will be removed:${NC}"
 echo "  Install directory: $INSTALL_DIR"
 if [[ "$KEEP_DATA" != true ]]; then
    echo -e "  Data directory:    $DATA_DIR ${RED}(ALL YOUR DATA!)${NC}"
 else
    echo "  Data directory:    $DATA_DIR (KEPT)"
 fi
 if [[ "$KEEP_LOGS" != true ]]; then
    echo "  Log directory:     $LOG_DIR"
 else
    echo "  Log directory:     $LOG_DIR (KEPT)"
 fi
 echo "  Systemd service:   /etc/systemd/system/myfsio.service"
 echo "  System user:       $SERVICE_USER"
 echo ""
 if [[ "$AUTO_YES" != true ]]; then
    echo -e "${RED}WARNING: This action cannot be undone!${NC}"
    read -p "Are you sure you want to uninstall MyFSIO? [y/N] " -n 1 -r
    echo
    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
        echo "Uninstallation cancelled."
        exit 0
    fi
 fi
 echo ""
 echo -e "${GREEN}[1/5]${NC} Stopping service..."
 if systemctl is-active --quiet myfsio 2>/dev/null; then
    systemctl stop myfsio
    echo "  Stopped myfsio service"
 else
    echo "  Service not running"
 fi
 echo -e "${GREEN}[2/5]${NC} Disabling service..."
 if systemctl is-enabled --quiet myfsio 2>/dev/null; then
    systemctl disable myfsio
    echo "  Disabled myfsio service"
 else
    echo "  Service not enabled"
 fi
 echo -e "${GREEN}[3/5]${NC} Removing systemd service..."
 if [[ -f /etc/systemd/system/myfsio.service ]]; then
    rm -f /etc/systemd/system/myfsio.service
    systemctl daemon-reload
    echo "  Removed /etc/systemd/system/myfsio.service"
 else
    echo "  Service file not found"
 fi
 echo -e "${GREEN}[4/5]${NC} Removing directories..."
 if [[ -d "$INSTALL_DIR" ]]; then
    rm -rf "$INSTALL_DIR"
    echo "  Removed $INSTALL_DIR"
 fi
 if [[ "$KEEP_DATA" != true ]] && [[ -d "$DATA_DIR" ]]; then
    rm -rf "$DATA_DIR"
    echo "  Removed $DATA_DIR"
 elif [[ "$KEEP_DATA" == true ]]; then
    echo "  Kept $DATA_DIR"
 fi
 if [[ "$KEEP_LOGS" != true ]] && [[ -d "$LOG_DIR" ]]; then
    rm -rf "$LOG_DIR"
    echo "  Removed $LOG_DIR"
 elif [[ "$KEEP_LOGS" == true ]]; then
    echo "  Kept $LOG_DIR"
 fi
 echo -e "${GREEN}[5/5]${NC} Removing system user..."
 if id "$SERVICE_USER" &>/dev/null; then
    userdel "$SERVICE_USER" 2>/dev/null || true
    echo "  Removed user '$SERVICE_USER'"
 else
    echo "  User not found"
 fi
 echo ""
 echo -e "${GREEN}MyFSIO has been uninstalled.${NC}"
 if [[ "$KEEP_DATA" == true ]]; then
    echo -e "${YELLOW}Data preserved at: $DATA_DIR${NC}"
 fi
--- a/templates/docs.html
+++ b/templates/docs.html
@@ -55,8 +55,8 @@ python run.py --mode ui
            <tbody>
              <tr>
                <td><code>API_BASE_URL</code></td>
-                <td><code>http://127.0.0.1:5000</code></td>
+                <td><code>None</code></td>
-                <td>The public URL of the API. <strong>Required</strong> if running behind a proxy or if the UI and API are on different domains. Ensures presigned URLs are generated correctly.</td>
+                <td>The public URL of the API. <strong>Required</strong> if running behind a proxy. Ensures presigned URLs are generated correctly.</td>
              </tr>
              <tr>
                <td><code>STORAGE_ROOT</code></td>
@@ -65,13 +65,13 @@ python run.py --mode ui
              </tr>
              <tr>
                <td><code>MAX_UPLOAD_SIZE</code></td>
-                <td><code>5 GB</code></td>
+                <td><code>1 GB</code></td>
-                <td>Max request body size.</td>
+                <td>Max request body size in bytes.</td>
              </tr>
              <tr>
                <td><code>SECRET_KEY</code></td>
-                <td>(Random)</td>
+                <td>(Auto-generated)</td>
-                <td>Flask session key. Set this in production.</td>
+                <td>Flask session key. Auto-generates if not set. <strong>Set explicitly in production.</strong></td>
              </tr>
              <tr>
                <td><code>APP_HOST</code></td>
@@ -81,7 +81,51 @@ python run.py --mode ui
              <tr>
                <td><code>APP_PORT</code></td>
                <td><code>5000</code></td>
-                <td>Listen port.</td>
+                <td>Listen port (UI uses 5100).</td>
              </tr>
              <tr class="table-secondary">
                <td colspan="3" class="fw-semibold">CORS Settings</td>
              </tr>
              <tr>
                <td><code>CORS_ORIGINS</code></td>
                <td><code>*</code></td>
                <td>Allowed origins. <strong>Restrict in production.</strong></td>
              </tr>
              <tr>
                <td><code>CORS_METHODS</code></td>
                <td><code>GET,PUT,POST,DELETE,OPTIONS,HEAD</code></td>
                <td>Allowed HTTP methods.</td>
              </tr>
              <tr>
                <td><code>CORS_ALLOW_HEADERS</code></td>
                <td><code>*</code></td>
                <td>Allowed request headers.</td>
              </tr>
              <tr>
                <td><code>CORS_EXPOSE_HEADERS</code></td>
                <td><code>*</code></td>
                <td>Response headers visible to browsers (e.g., <code>ETag</code>).</td>
              </tr>
              <tr class="table-secondary">
                <td colspan="3" class="fw-semibold">Security Settings</td>
              </tr>
              <tr>
                <td><code>AUTH_MAX_ATTEMPTS</code></td>
                <td><code>5</code></td>
                <td>Failed login attempts before lockout.</td>
              </tr>
              <tr>
                <td><code>AUTH_LOCKOUT_MINUTES</code></td>
                <td><code>15</code></td>
                <td>Lockout duration after max failed attempts.</td>
              </tr>
              <tr>
                <td><code>RATE_LIMIT_DEFAULT</code></td>
                <td><code>200 per minute</code></td>
                <td>Default API rate limit.</td>
              </tr>
              <tr class="table-secondary">
                <td colspan="3" class="fw-semibold">Encryption Settings</td>
              </tr>
              <tr>
                <td><code>ENCRYPTION_ENABLED</code></td>
@@ -93,9 +137,25 @@ python run.py --mode ui
                <td><code>false</code></td>
                <td>Enable KMS key management for encryption.</td>
              </tr>
              <tr class="table-secondary">
                <td colspan="3" class="fw-semibold">Logging Settings</td>
              </tr>
              <tr>
                <td><code>LOG_LEVEL</code></td>
                <td><code>INFO</code></td>
                <td>Log verbosity: DEBUG, INFO, WARNING, ERROR.</td>
              </tr>
              <tr>
                <td><code>LOG_TO_FILE</code></td>
                <td><code>true</code></td>
                <td>Enable file logging.</td>
              </tr>
            </tbody>
          </table>
        </div>
        <div class="alert alert-warning mt-3 mb-0 small">
          <strong>Production Checklist:</strong> Set <code>SECRET_KEY</code>, restrict <code>CORS_ORIGINS</code>, configure <code>API_BASE_URL</code>, enable HTTPS via reverse proxy, and use <code>--prod</code> flag.
        </div>
      </div>
    </article>
    <article id="background" class="card shadow-sm docs-section">
@@ -140,7 +200,7 @@ WorkingDirectory=/opt/myfsio
 ExecStart=/opt/myfsio/myfsio
 Restart=on-failure
 RestartSec=5
-Environment=MYFSIO_DATA_DIR=/var/lib/myfsio
+Environment=STORAGE_ROOT=/var/lib/myfsio
 Environment=API_BASE_URL=https://s3.example.com
 [Install]
--- a/templates/metrics.html
+++ b/templates/metrics.html
@@ -126,7 +126,6 @@
    <div class="card shadow-sm border-0">
      <div class="card-header bg-transparent border-0 pt-4 px-4 d-flex justify-content-between align-items-center">
        <h5 class="card-title mb-0 fw-semibold">System Overview</h5>
        <span class="badge bg-primary-subtle text-primary">Live</span>
      </div>
      <div class="card-body p-4">
        <div class="table-responsive">
@@ -233,14 +232,14 @@
            <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="bi bi-check-circle-fill me-1" viewBox="0 0 16 16">
              <path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zm-3.97-3.03a.75.75 0 0 0-1.08.022L7.477 9.417 5.384 7.323a.75.75 0 0 0-1.06 1.06L6.97 11.03a.75.75 0 0 0 1.079-.02l3.992-4.99a.75.75 0 0 0-.01-1.05z"/>
            </svg>
-            Healthy
+            v{{ app.version }}
          </span>
        </div>
        <h4 class="card-title fw-bold mb-3">System Status</h4>
        <p class="card-text opacity-90 mb-4">All systems operational. Your storage infrastructure is running smoothly with no detected issues.</p>
        <div class="d-flex gap-4">
          <div>
-            <div class="h3 fw-bold mb-0">99.9%</div>
+            <div class="h3 fw-bold mb-0">{{ app.uptime_days }}d</div>
            <small class="opacity-75">Uptime</small>
          </div>
          <div>
Author	SHA1	Message	Date
kqjy	563bb8fa6a	Fix incorrect STORAGE_ROOT setup; Add installation scripts	2025-12-13 22:26:43 +08:00
kqjy	5ccf53b688	Add app uptime and version status in Metrics dashboard	2025-12-13 16:18:38 +08:00
kqjy	4d4256830a	Update docs; Remove unnecessary hardcoded metrics details	2025-12-13 15:57:13 +08:00
kqjy	137e3b7b68	Configure CORS default settings	2025-12-13 15:33:40 +08:00