feat: traceroute request tracking and auth documentation

[Yeraze]

Summary

• Add screenshot to documentation
• Implement traceroute request time tracking to fix scheduling issues
• Document authentication recommendations in README

Changes

Traceroute Request Tracking

Previously, the automatic traceroute scheduler would get stuck on nodes that never complete traceroutes (offline nodes, unreachable nodes, etc.), preventing other nodes from getting refreshed traceroutes. This PR fixes the issue by tracking when traceroutes are requested rather than when they complete.

• Added lastTracerouteRequest field to nodes database table
• Updated getNodeNeedingTraceroute() to prioritize nodes by request time instead of completion time
• Created recordTracerouteRequest() method to update timestamp when traceroute is initiated
• Integrated recording into sendTraceroute() method

This ensures all nodes get scheduled for traceroutes in a fair rotation, regardless of whether they successfully respond.

Authentication Documentation

Added clear documentation that MeshMonitor has no internal authentication and should be proxied behind an auth provider:

• Listed recommended solutions (Authentik, Pocketbase, Authelia, nginx)
• Provided nginx basic auth example
• Referenced Authentik documentation for more complex setups

Documentation

• Added screenshot image to docs folder

Test plan

• Built and deployed with Docker
• Verify database migration adds new column
• Verify traceroute scheduler cycles through all nodes
• Verify nodes that don't respond don't block the queue

🤖 Generated with Claude Code

[claude]

Claude finished @Yeraze's task —— View job

---

PR Review Complete ✅

I've thoroughly reviewed this pull request implementing traceroute request tracking and authentication documentation. Here's my comprehensive feedback:

Progress:

• Read repository guidelines (CLAUDE.md)
• Analyze database schema changes
• Review traceroute scheduling logic
• Examine authentication documentation
• Provide comprehensive feedback

---

✅ Code Quality & Best Practices

Strong Points:

• Clean separation of concerns between database layer and business logic
• Proper error handling in migration code
• Good use of TypeScript interfaces and type safety
• Consistent code style throughout the changes
• Appropriate use of transactions and prepared statements

Database Migration Implementation:

• The migration for lastTracerouteRequest in database.ts:301-308 follows the established pattern correctly
• Proper error handling with duplicate column check
• Uses INTEGER type which is appropriate for timestamps

---

🐛 Potential Issues

Minor Issues Found:

1. Missing Index (database.ts:313-328): The new lastTracerouteRequest field should have an index for performance since it's used in ORDER BY clauses in getNodeNeedingTraceroute().

   Recommendation: Add this index:

   CREATE INDEX IF NOT EXISTS idx_nodes_lastTracerouteRequest ON nodes(lastTracerouteRequest);

2. Missing Update Query (database.ts:346-422): The upsertNode() method doesn't include lastTracerouteRequest in either the INSERT or UPDATE statements, meaning manual updates to this field could be overwritten.

   Impact: Low - the field is only updated via recordTracerouteRequest(), but this creates inconsistency.

---

⚡ Performance Considerations

Positive:

• The new scheduling logic (database.ts:836-860) is efficient with proper LIMIT 1 usage
• Two-tier approach (NULL first, then oldest) prevents expensive full table scans
• Uses appropriate ASC ordering for finding oldest requests

Recommendations:

• Add the missing index mentioned above for optimal query performance
• Consider adding a composite index on (nodeNum, lastTracerouteRequest) if this becomes a bottleneck

---

🔒 Security Review

Authentication Documentation (README.md:134-160):

• ✅ Clearly states no internal authentication
• ✅ Provides appropriate security recommendations
• ✅ Includes practical examples (nginx basic auth, Authentik)
• ✅ Links to external documentation appropriately

Code Security:

• ✅ No SQL injection risks (uses prepared statements)
• ✅ No sensitive data exposure
• ✅ Proper input validation in place

---

🧪 Test Coverage Concerns

Missing Test Areas:

• No tests for the new getNodeNeedingTraceroute() scheduling logic
• No tests for recordTracerouteRequest() method
• No verification that migration handles existing data correctly

Recommendations:

• Add unit tests for the new scheduling algorithm edge cases
• Test that nodes with NULL lastTracerouteRequest are prioritized correctly
• Verify the migration doesn't break existing functionality

---

💡 Suggestions for Improvement

1. Add Logging Enhancement (database.ts:862-868):

   recordTracerouteRequest(nodeNum: number): void {
     const now = Date.now();
     const stmt = this.db.prepare(`
       UPDATE nodes SET lastTracerouteRequest = ? WHERE nodeNum = ?
     `);
     const result = stmt.run(now, nodeNum);
     if (result.changes === 0) {
       console.warn(`⚠️ Failed to record traceroute request for node ${nodeNum} - node not found`);
     }
   }

2. Consider Rate Limiting: The current implementation doesn't prevent rapid traceroute requests to the same node. Consider adding a minimum interval check.

3. Documentation Enhancement: Add inline comments explaining the two-tier scheduling logic for future maintainers.

---

📊 Overall Assessment

This is a well-implemented solution that effectively addresses the traceroute scheduling problem. The approach of tracking request time instead of completion time is sound and will prevent nodes from getting stuck in the queue.

Risk Level: 🟢 Low - Changes are isolated and follow existing patterns
Readiness: ✅ Ready to merge with minor improvements recommended

The authentication documentation is comprehensive and provides appropriate security guidance for production deployments.

[claude]

Claude finished @Yeraze's task —— View job

---

PR Review Complete ✅

I've completed the code review for this traceroute request tracking and authentication documentation PR. Overall, this is a solid implementation that addresses the described scheduling issue effectively.

Review Summary:

• Code quality and best practices
• Potential bugs or issues
• Performance considerations
• Security concerns
• Test coverage

---

Code Quality & Best Practices ✅

Database Changes (src/services/database.ts)

Excellent implementation:

• ✅ Clean database migration in migrateSchema() with proper error handling
• ✅ New lastTracerouteRequest field properly added to DbNode interface
• ✅ Migration uses safe ALTER TABLE with duplicate column detection
• ✅ recordTracerouteRequest() method is simple and focused
• ✅ getNodeNeedingTraceroute() logic is well-structured with clear priority:
  1. Nodes never requested (fair initial distribution)
  2. Nodes with oldest request time (fair rotation)

Traceroute Integration (src/server/meshtasticManager.ts)

Properly integrated:

• ✅ recordTracerouteRequest() called immediately after sending request in sendTraceroute() method (line 2351)
• ✅ Placement is correct - records the request regardless of whether the target responds
• ✅ Auto-traceroute scheduler uses the updated logic (line 390)

Documentation (README.md)

Comprehensive authentication guidance:

• ✅ Clear statement that MeshMonitor has no internal auth
• ✅ Lists appropriate auth solutions (Authentik, Pocketbase, Authelia, nginx)
• ✅ Includes practical nginx basic auth example
• ✅ References external documentation for complex setups

---

Potential Issues & Improvements 🔍

Minor Issues

1. Database index optimization: Consider adding an index on lastTracerouteRequest for better performance:

   CREATE INDEX IF NOT EXISTS idx_nodes_lastTracerouteRequest ON nodes(lastTracerouteRequest);

2. Error handling: The recordTracerouteRequest() call in sendTraceroute() should ideally have error handling to prevent failure from affecting the main traceroute flow.

Suggestions for Future Enhancements

1. Configuration: Consider making the traceroute interval configurable
2. Metrics: Add logging/metrics for traceroute request success/failure rates
3. Admin UI: Could add an admin interface to view traceroute scheduling status

---

Performance Considerations ⚡

Current implementation is performant:

• ✅ Database queries are efficient with proper ordering
• ✅ getNodeNeedingTraceroute() uses LIMIT 1 to avoid unnecessary data transfer
• ✅ Timestamps are stored as integers (efficient storage and comparison)
• ✅ Migration is non-blocking and safe for existing deployments

Recommended optimization:

• Add the suggested index for lastTracerouteRequest to improve query performance as the node count grows

---

Security Considerations 🔒

No security issues identified:

• ✅ No SQL injection vulnerabilities (uses prepared statements)
• ✅ Authentication documentation properly explains security posture
• ✅ No sensitive data exposure in new fields
• ✅ Database operations follow existing patterns

Authentication documentation is appropriate:

• ✅ Honest about lack of internal auth
• ✅ Provides practical security recommendations
• ✅ Nginx example follows security best practices

---

Test Coverage 🧪

Areas needing attention:

• ⚠️ No visible unit tests for new recordTracerouteRequest() method
• ⚠️ No integration tests for the new scheduling behavior
• ⚠️ Database migration testing could be added

Recommended tests:

1. Test that getNodeNeedingTraceroute() properly prioritizes never-requested nodes
2. Test fair rotation after all nodes have been requested
3. Test that recordTracerouteRequest() updates timestamps correctly
4. Integration test verifying the scheduler works with stuck/offline nodes

---

Overall Assessment 🎯

This is a well-implemented fix that addresses the core issue described in the PR:

• ✅ Problem solved: Stuck offline nodes no longer block the traceroute queue
• ✅ Fair scheduling: All nodes get traceroute requests in rotation
• ✅ Clean implementation: Minimal, focused changes with proper database patterns
• ✅ Good documentation: Clear auth guidance for operators

Recommendation: APPROVE ✅

The implementation is solid, follows good practices, and solves the stated problem effectively. The suggested improvements are minor optimizations that could be addressed in future PRs.