feat(fleet): expose default-password remediation UX

[ankitgoswami]

Summary

Adds the Fleet UI remediation path for miners that are paired, reporting telemetry, and still using the factory default password. Operators now see default-password miners as needing attention, can launch the existing Manage security flow from row/issues/setup surfaces, and cannot run normal mutating actions against those miners.

Stack: #471 -> #480 -> this PR. The diff here is relative to #480, which provides the server-side command and reconciliation safety boundary; this PR is intentionally client-only except for E2E fixtures. #477 is a sibling fleet-node enrollment follow-up stacked on #480 and can be reviewed independently from this UI layer. Phase 3 cleanup remains out of scope.

How it works

Fleet-visible pairing filters include DEFAULT_PASSWORD, so default-password miners stay in the miner list and continue showing telemetry instead of looking offline or hidden. Shared remediation helpers map DEFAULT_PASSWORD to password-change-required copy, status badges, issue cells, and measurement behavior while leaving AUTHENTICATION_NEEDED on the login/re-authenticate path.

Action surfaces use the backend eligibility boundary from #480. Normal row, bulk, and group actions count default-password miners as disabled; Manage security remains available and is scoped by a DEFAULT_PASSWORD filter when the operator clicks the password-required issue or the Complete setup card. Complete setup now has an Update passwords card that targets all default-password miners after pairing, alongside the existing pool and authentication setup cards.

Diagrams

flowchart TD
  A["Fleet list receives miner snapshot"] --> B{"pairing_status"}
  B -->|"PAIRED"| C["normal telemetry and actions"]
  B -->|"DEFAULT_PASSWORD"| D["telemetry visible + password issue"]
  B -->|"AUTHENTICATION_NEEDED"| E["authentication issue"]
  D --> F["row issue click"]
  D --> G["Complete setup: Update passwords"]
  F --> H["Manage security modal"]
  G --> H
  H --> I["all-devices selector filtered to DEFAULT_PASSWORD"]

Loading

Areas of the code involved

Area / package / file	What changed	Why it matters for review
client/src/protoFleet/features/fleetManagement/utils/pairingRemediation.ts	Centralized predicates/copy for auth-needed vs default-password remediation	Keeps UI decisions consistent across list cells, status modal, and setup
MinerList/*, StatusModal, getMinerMeasurement	Default-password miners show telemetry plus password-change-required issue/copy	Main operator-facing state representation
Fleet, MinerActionsMenu, SingleMinerActionsMenu, FleetGroupActionsMenu	Default-password miners are visible but disabled for normal actions; Manage security remains available	Mirrors the server command eligibility boundary from #480
deviceSelector.ts and useDefaultPasswordMiners.ts	All-miner remediation selectors preserve pairing/model filters and count default-password miners	Prevents off-page all-selection from targeting the wrong devices
CompleteSetup/*	Adds the Update passwords card and modal stack wiring	Lets operators fix all default-password miners after pairing, like the auth card
client/e2eTests/protoFleet	Updates fake miner setup expectations	Keeps the browser fixture aligned with the new remediation state

Key technical decisions & trade-offs

Decision	Trade-off
Keep the UI remediation in a separate PR from backend hardening	Reviewers can validate trust boundaries before UI affordances, but the UX PR depends on #480
Reuse Manage security instead of introducing a new modal	Less UI surface and matches existing password-change flow, but the entry points must pass precise filters
Count default-password miners as disabled for normal bulk/group actions	Adds extra count/filter plumbing, but prevents off-page unsafe command eligibility
Add Complete setup as the fleet-wide remediation entry point	Operators get a post-pairing workflow, but setup now depends on a default-password count query

Testing & validation

• npm test -- CompleteSetup.test.tsx deviceSelector.test.ts useDefaultPasswordMiners.test.ts useMinerActions.test.tsx Fleet.test.tsx FleetGroupActionsMenu.test.tsx MinerActionsMenu.test.tsx SingleMinerActionsMenu.test.tsx MinerIssues.test.tsx MinerList.modalFlow.test.tsx MinerList.test.tsx MinerWorkerName.test.tsx getMinerMeasurement.test.ts --run
• npm run lint
• npm run build:protoFleet
• git diff --check

Not covered locally: full Playwright E2E; this PR updates the fixtures but the full browser suite is left to CI/local smoke.

[github-actions]

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

• Reviewed pull request diff only (1193bc2f2f623e056ae68db2407f1944e04e17fa...35a6e36def8aa3cb695f3ca46d8dc4de9bdbf98d, exact PR three-dot diff)
• Model: gpt-5.5

💡 Click "edited" above to see previous reviews for this PR.

---

Review Summary

Overall Risk: NONE

Findings

No actionable security, correctness, or reliability findings in the scoped diff.

Notes

The reviewed changes are limited to ProtoFleet client UI/test code around default-password miner remediation, fleet selection gating, status/issue presentation, and onboarding copy. I did not find changes to backend authz, SQL/migrations, RPC handlers, plugin execution, Docker/Nginx infrastructure, Rust/Python plugins, or protobuf wire definitions in .git/codex-review.diff.

The new password-remediation paths appear to keep default-password miners visible but blocked from normal mutating bulk actions, while allowing the dedicated security/password flow through single-row, group, and Complete Setup entry points.

---

_{Generated by Codex Security Review |
Triggered by: @ankitgoswami |
Review workflow run}