- Fix Export/Import API token authentication (wasn't sending X-API-Token header)
- Add client-side passphrase validation (12+ chars with visual feedback)
- Fix settings persistence for AllowedOrigins field
- Fix hardcoded port display in diagnostics (now shows actual port)
- Add .env file support for non-sensitive configuration (ports, logging, etc)
- Keep sensitive data (API tokens, passwords) using secure methods (systemd env vars)
- Update documentation with configuration guide and latest features
- Document auto-discovery, cluster detection, and export/import features
Security Features Added:
- Secure-by-default configuration export/import with ALLOW_UNPROTECTED_EXPORT environment variable
- Rate limiting (5 attempts/minute) to prevent brute force attacks on sensitive endpoints
- Comprehensive audit logging for all export/import attempts with IP tracking
- Frontend Security tab showing API protection status and configuration guidance
- Frontend now shows when export is blocked and disables buttons appropriately
- Strong passphrase requirement (minimum 12 characters) for exports
Technical Implementation:
- New RateLimiter component with automatic cleanup and middleware support
- Security status API endpoint showing protection state
- Enhanced error messaging with specific guidance for homelab vs production use
- Proper authentication flow with API token validation
- Updated documentation reflecting new security model
Breaking Changes:
- Export/import now requires API_TOKEN unless ALLOW_UNPROTECTED_EXPORT=true is set
- Minimum passphrase length increased from none to 12 characters
Additional Improvements:
- Fixed architecture-specific updates for better cross-platform support
- Removed RC label from UI header
- Updated security documentation with clear setup instructions
- Completely rewrite README.md configuration section
- Remove all references to manual pulse.yml editing
- Emphasize UI-only configuration like Radarr/Sonarr
- Simplify Docker examples
- Rewrite SECURITY.md from scratch
- Explain automatic encryption system
- Document how AES-256-GCM encryption works
- Add security architecture diagram
- Remove outdated manual config references
- Move CONFIGURATION.md to dev-docs (outdated)
- Documentation now correctly reflects that:
- All configuration is done through the web UI
- Credentials are automatically encrypted
- No manual file editing is needed or supported
- Complete rewrite of README.md in the style of original Pulse
- Add comprehensive user-facing documentation:
- FAQ.md with common questions and troubleshooting
- PBS-AGENT.md for push mode monitoring
- SCREENSHOTS.md placeholder for visual guide
- Update SECURITY.md intro to match new style
- Move internal dev docs to separate dev-docs folder
- Documentation now properly reflects Go/SolidJS architecture
- Replace real Gmail app password with placeholder in all test files
- Fix remaining production node name references in documentation
- Ensure no sensitive credentials remain in codebase
IMPORTANT: The exposed Gmail app password should be revoked immediately
- Replace personal email with generic test@example.com
- Replace production node names (delly, pimox) with generic examples
- Replace specific security tokens with placeholder values
- Update IP addresses to use localhost or generic examples
- Sanitize all testing files and documentation
- Replace all 'any' types with proper TypeScript types throughout the codebase
- Fix Record<string, any> to use specific types (AlertThresholds, unknown)
- Update logger methods to use 'unknown' instead of 'any' for parameters
- Fix type assertions to use proper types instead of 'as any'
- Update generic type defaults from 'any' to 'unknown'
- Fix WebSocket message types to use 'unknown' for optional data
- Move global Toast declaration to top level to fix TypeScript errors
- Comment out legacy PBS backup code that referenced non-existent fields
- Ensure all code follows TypeScript standards as documented in CLAUDE.md
All TypeScript compilation errors have been resolved and the codebase now
adheres to strict typing standards with no 'any' types remaining.
