- Add registration tokens documentation to SECURITY.md
- Add email configuration guide to README.md
- Create comprehensive API.md with all endpoints documented
- Include examples for bash, PowerShell, and Python API usage
- Document WebSocket connection for real-time updates
- Add rate limiting information and error response formats
- Added detailed reverse proxy guide for nginx, Caddy, Apache, Traefik, HAProxy, and Cloudflare Tunnel
- Emphasized WebSocket requirement for v4
- Added testing instructions and troubleshooting tips
- Updated README and CONFIGURATION docs to reference the new guide
- Addresses user feedback from issue #244 about WebSocket requirement
- Document Docker persistence in /data volume
- Add PBS HTTPS requirement to FAQ troubleshooting
- Clarify data directory usage for encryption keys
- Update file location documentation for Docker vs standard installs
- Updated README to show env vars instead of .env editing
- Updated FAQ with correct port change instructions
- Updated .env.example header to clarify it's for deployment overrides
- Made it clear UI is primary configuration method
- Environment variables are for deployment-time overrides only
- Remove .env syncing - UI no longer writes to .env file
- system.json is the single source for UI-managed settings
- .env files are read-only for deployment overrides
- Environment variables still override everything (Docker/systemd)
- Cleaner separation: env vars for deployment, JSON for runtime
- Updated documentation to clarify configuration hierarchy
- Simpler code with less failure points
- Fix release channel not saving when changed in UI
- Add system settings persistence for update-related config
- Expand .env file support to include all non-sensitive settings:
- UPDATE_CHANNEL, AUTO_UPDATE_ENABLED, AUTO_UPDATE_CHECK_INTERVAL, AUTO_UPDATE_TIME
- POLLING_INTERVAL, CONNECTION_TIMEOUT, ALLOWED_ORIGINS, LOG_LEVEL
- Update documentation with all available .env settings
- Settings now properly persist across restarts
- Environment variables override saved settings at startup
- Fix Export/Import API token authentication (wasn't sending X-API-Token header)
- Add client-side passphrase validation (12+ chars with visual feedback)
- Fix settings persistence for AllowedOrigins field
- Fix hardcoded port display in diagnostics (now shows actual port)
- Add .env file support for non-sensitive configuration (ports, logging, etc)
- Keep sensitive data (API tokens, passwords) using secure methods (systemd env vars)
- Update documentation with configuration guide and latest features
- Document auto-discovery, cluster detection, and export/import features
- README reduced from 256 to 188 lines
- FAQ reduced from 133 to 66 lines
- PBS-AGENT simplified to essentials only
- Removed marketing language, obvious advice, redundant sections
- Focused on practical information users actually need
Security Features Added:
- Secure-by-default configuration export/import with ALLOW_UNPROTECTED_EXPORT environment variable
- Rate limiting (5 attempts/minute) to prevent brute force attacks on sensitive endpoints
- Comprehensive audit logging for all export/import attempts with IP tracking
- Frontend Security tab showing API protection status and configuration guidance
- Frontend now shows when export is blocked and disables buttons appropriately
- Strong passphrase requirement (minimum 12 characters) for exports
Technical Implementation:
- New RateLimiter component with automatic cleanup and middleware support
- Security status API endpoint showing protection state
- Enhanced error messaging with specific guidance for homelab vs production use
- Proper authentication flow with API token validation
- Updated documentation reflecting new security model
Breaking Changes:
- Export/import now requires API_TOKEN unless ALLOW_UNPROTECTED_EXPORT=true is set
- Minimum passphrase length increased from none to 12 characters
Additional Improvements:
- Fixed architecture-specific updates for better cross-platform support
- Removed RC label from UI header
- Updated security documentation with clear setup instructions
- Explain security reasons for not allowing credential export
- Add best practices for configuration management
- Clarify that this is intentional, not a missing feature
- Parse user@realm from token name if provided in full format
- Better handle various token input formats
- Require user info for token auth (either in token name or user field)
- Fix realm defaulting logic for different auth types
- Remove temporary action items, issue responses, and Docker Hub description
- Move PROXMOX_HELPER_ISSUE.md to docs/ folder
- Add TODO comment to temporary-helper.sh for future removal
- Keep only essential files in root directory
- Updated screenshot script with improved dark mode detection and forcing
- Regenerated all 8 documentation screenshots in dark mode
- Screenshots now properly show the dark theme interface
- Fixed theme switching logic to ensure consistent dark mode capture
- Completely rewrite README.md configuration section
- Remove all references to manual pulse.yml editing
- Emphasize UI-only configuration like Radarr/Sonarr
- Simplify Docker examples
- Rewrite SECURITY.md from scratch
- Explain automatic encryption system
- Document how AES-256-GCM encryption works
- Add security architecture diagram
- Remove outdated manual config references
- Move CONFIGURATION.md to dev-docs (outdated)
- Documentation now correctly reflects that:
- All configuration is done through the web UI
- Credentials are automatically encrypted
- No manual file editing is needed or supported
- Complete rewrite of README.md in the style of original Pulse
- Add comprehensive user-facing documentation:
- FAQ.md with common questions and troubleshooting
- PBS-AGENT.md for push mode monitoring
- SCREENSHOTS.md placeholder for visual guide
- Update SECURITY.md intro to match new style
- Move internal dev docs to separate dev-docs folder
- Documentation now properly reflects Go/SolidJS architecture
- Replace real Gmail app password with placeholder in all test files
- Fix remaining production node name references in documentation
- Ensure no sensitive credentials remain in codebase
IMPORTANT: The exposed Gmail app password should be revoked immediately
- Replace personal email with generic test@example.com
- Replace production node names (delly, pimox) with generic examples
- Replace specific security tokens with placeholder values
- Update IP addresses to use localhost or generic examples
- Sanitize all testing files and documentation
- Replace all 'any' types with proper TypeScript types throughout the codebase
- Fix Record<string, any> to use specific types (AlertThresholds, unknown)
- Update logger methods to use 'unknown' instead of 'any' for parameters
- Fix type assertions to use proper types instead of 'as any'
- Update generic type defaults from 'any' to 'unknown'
- Fix WebSocket message types to use 'unknown' for optional data
- Move global Toast declaration to top level to fix TypeScript errors
- Comment out legacy PBS backup code that referenced non-existent fields
- Ensure all code follows TypeScript standards as documented in CLAUDE.md
All TypeScript compilation errors have been resolved and the codebase now
adheres to strict typing standards with no 'any' types remaining.
- Fixed alert clearing logic to work even when alerts are acknowledged
- Added immediate WebSocket state broadcast after alert resolution
- Fixed frontend activeAlerts store updates to maintain SolidJS reactivity
- Added logging for alert resolution events
The alert system now properly:
- Creates alerts when thresholds are exceeded
- Clears alerts automatically when values drop below clear threshold
- Updates frontend in real-time without requiring page refresh
