Updated logging to exclude request bodies that may contain passwords
or other sensitive information. Now only logs metadata about requests
without exposing actual credentials.
- add proper telegram bot api support with chat_id and text fields
- fix frontend pbs red dot display (was checking 'error' instead of 'unhealthy')
- fix qemu guest agent memory reporting (fallback to mem when freemem is 0)
- extract chat_id from telegram webhook urls when present
- Import was saving configs to disk but not updating in-memory state
- Added explicit reloading of alert thresholds after import
- Added explicit reloading of webhooks after import
- Added explicit reloading of email config after import
- Settings now show immediately in UI without requiring restart
Fixes#291 where imported alert thresholds and webhooks weren't
visible until after service restart
- Fixed incorrect RAM usage display for VMs without guest agent (issue #280)
- VMs without guest agent now show 0% usage instead of 100%
- Only show actual usage when guest agent provides FreeMem data
- Containers continue to show accurate usage as before
- Fixed webhook test functionality (issue #279)
- Added proper webhook ID handling in test notification endpoint
- Created SendTestWebhook method to test specific webhooks
- Frontend can now successfully trigger webhook tests
Token names now include both Pulse server IP and Unix timestamp (e.g. pulse-192-168-0-176-1754816525) ensuring each script run creates a unique token. This completely eliminates 'token already exists' errors when running setup scripts multiple times.
When running the setup script multiple times from different Pulse servers, tokens now include the Pulse server's IP address in the name (e.g. pulse-192-168-0-176) to avoid conflicts. This prevents 'token already exists' errors when managing multiple Pulse instances.
- PBS instances now show as online when datastores are accessible even if version endpoint fails
- Email sending now uses proper STARTTLS support for compatibility with providers like SMTP2GO
- Email recipient input no longer filters entries while typing
- Auto-update setting now properly persists and loads from config
- Fixed CPU usage alerts for offline VMs (already addressed in previous commits)
- Added service field to WebhookConfig to identify Discord webhooks
- Use Discord-specific template when sending Discord webhooks
- Fixed backup type detection for PBS backups (vm/ct)
- Fixed shared storage duplicate IDs across instances
- Fixed alert acknowledge/clear response format to match frontend expectations
- Fix CPU core display to show for all guests with CPU data
- Previously only showed cores when CPU > 0 (truthy)
- Now shows "(0.0/X cores)" consistently for all running/stopped guests
- Improve code organization with new helper utilities
- Clean up import statements and remove debug logs
- Remove token logging - tokens were being logged in plaintext
- Add client IP logging for security auditing
- Add HTTPS warning when tokens sent over HTTP
- Remove debug output that exposed tokens in console
- Add optional auth requirement via REQUIRE_AUTH_FOR_AUTO_REGISTER env var
- Prevent token exposure in error messages
- Already has duplicate node prevention
Security improvements:
- Tokens no longer logged anywhere
- Source IPs tracked for audit trail
- Optional authentication for high-security environments
- HTTPS enforcement warnings
- Fix unsafe JSON parsing in WebSocket with proper error handling
- Fix unsafe JSON parsing in Settings import with validation
- Improve API token security by using sessionStorage as primary storage
- Remove debug console statements from production code
- Fix race conditions in WebSocket alert handling with atomic updates
- Add NaN validation for parseFloat operations in search queries
- Add safer error handling alternatives in generics utility
- Improve graceful shutdown in Settings API with proper timing
- All changes verified with successful frontend and backend builds
- Fix release channel not saving when changed in UI
- Add system settings persistence for update-related config
- Expand .env file support to include all non-sensitive settings:
- UPDATE_CHANNEL, AUTO_UPDATE_ENABLED, AUTO_UPDATE_CHECK_INTERVAL, AUTO_UPDATE_TIME
- POLLING_INTERVAL, CONNECTION_TIMEOUT, ALLOWED_ORIGINS, LOG_LEVEL
- Update documentation with all available .env settings
- Settings now properly persist across restarts
- Environment variables override saved settings at startup
- Fix Export/Import API token authentication (wasn't sending X-API-Token header)
- Add client-side passphrase validation (12+ chars with visual feedback)
- Fix settings persistence for AllowedOrigins field
- Fix hardcoded port display in diagnostics (now shows actual port)
- Add .env file support for non-sensitive configuration (ports, logging, etc)
- Keep sensitive data (API tokens, passwords) using secure methods (systemd env vars)
- Update documentation with configuration guide and latest features
- Document auto-discovery, cluster detection, and export/import features
- Add checkbox to control whether backup write permissions are granted
- When checked: adds PVEDatastoreAdmin role on /storage (allows backup management)
- When unchecked: only PVEAuditor role (read-only, no PVE backups in Storage tab)
- Update setup script generation to conditionally add storage permissions
- Update UI to clearly explain the implications of each choice
Frontend:
- Enhanced cluster vs standalone node visual distinction in Settings
- Added glassmorphic style to all toast notifications for consistency
- Fixed test connection in edit modal to use stored encrypted credentials
- Added batch credential modal for bulk node operations
- Added network discovery modal with auto-subnet detection
- Improved notification system with dual toast/notification support
- Added event bus for component communication
Backend:
- Fixed duplicate toast notifications during auto-registration
- Fixed PBS auto-registration token extraction from JSON output
- Added network discovery service with background scanning
- Improved cluster detection with actual cluster name from API
- Added helper function to reduce code duplication in cluster detection
- Fixed host URL normalization in auto-registration
- Enhanced PBS client token authentication parsing
Bug Fixes:
- Fixed stacking toast notifications creating visual bugs
- Fixed PBS authentication failures after auto-registration
- Fixed network discovery not finding Proxmox servers
- Fixed test connection for existing nodes with encrypted tokens
- Removed duplicate WebSocket broadcasts for auto-registration events
- PBS host now automatically gets https:// prefix and :8007 port if missing
- Fixed auto-naming to work after host normalization
- Token auth now correctly displays 'Token:' instead of 'User:'
- Edit mode now correctly identifies token vs password auth
- Backend properly clears unused auth fields when switching types
Fixes#263, #261
- Fixed NodeModal to correctly detect token auth based on tokenName instead of user field
- Backend now properly clears user field when using token authentication
- Backend now properly clears token fields when using password authentication
- This fixes the issue where PBS nodes using token auth would show "User:" instead of "Token:"
Fixes#263, #261
- Removed PBS summary card from Dashboard and Backups tabs (not needed)
- Fixed backup frequency chart to use local timezone instead of UTC
- Chart now properly includes today in the date range
- Dates display according to user's browser timezone
The issue was that the binary was looking for frontend files relative to the current working directory instead of relative to the binary location. This caused a redirect loop when the binary was installed in /opt/pulse but run from elsewhere.
Fixed by:
- Making the binary detect its own location and look for frontend files there
- Adding fallback paths for common installation locations
- Logging where frontend files are being served from for debugging
- Use background context for update downloads to prevent cancellation
- Detect actual binary location and update correct file
- Support both 'pulse' and 'pulse-backend' service names
- Copy VERSION file to multiple locations for compatibility
- Handle flat tarball structure from GitHub releases
- Frontend now passes currently selected channel when checking for updates
- Backend accepts channel parameter to check specific channel without saving
- Fixed applyUpdateFiles to handle flat tarball structure (not nested in pulse-* directory)
- Fixed extraction logic to properly copy pulse binary, frontend, and VERSION file
- Users no longer need to toggle channels and save to see update button
Security Features Added:
- Secure-by-default configuration export/import with ALLOW_UNPROTECTED_EXPORT environment variable
- Rate limiting (5 attempts/minute) to prevent brute force attacks on sensitive endpoints
- Comprehensive audit logging for all export/import attempts with IP tracking
- Frontend Security tab showing API protection status and configuration guidance
- Frontend now shows when export is blocked and disables buttons appropriately
- Strong passphrase requirement (minimum 12 characters) for exports
Technical Implementation:
- New RateLimiter component with automatic cleanup and middleware support
- Security status API endpoint showing protection state
- Enhanced error messaging with specific guidance for homelab vs production use
- Proper authentication flow with API token validation
- Updated documentation reflecting new security model
Breaking Changes:
- Export/import now requires API_TOKEN unless ALLOW_UNPROTECTED_EXPORT=true is set
- Minimum passphrase length increased from none to 12 characters
Additional Improvements:
- Fixed architecture-specific updates for better cross-platform support
- Removed RC label from UI header
- Updated security documentation with clear setup instructions
The ConfigHandlers were calling config.SaveConfig() which uses
globalPersistence initialized at startup with potentially wrong path.
Now handlers use their own persistence instance directly which is
initialized with the correct DataPath.
This was causing Docker configurations to still save to /etc/pulse
even though we thought we fixed it in v4.0.6.
Fixes#253 (for real this time)
- Fix Docker persistence bug where config was saved to /etc/pulse instead of /data
- Fix Windows VM memory reporting with balloon drivers
- Add GetVMStatus method to get detailed VM info including balloon memory
- Update diagnostics endpoint to use correct config paths
Fixes#253 (Docker persistence)
Fixes#258 (Windows VM memory reporting)
- Add /api/diagnostics endpoint for detailed troubleshooting info
- Shows connection status, auth methods, errors for each node
- Auto-fix PBS hosts missing https:// prefix instead of crashing
- Skip invalid PBS instances instead of failing to start
- Fixes issue #251 where invalid PBS config crashed the service
ConfigPersistence was initialized with empty string instead of cfg.DataPath,
causing webhooks to save to /etc/pulse instead of PULSE_DATA_DIR.
This affected Docker deployments where /data is the persistent volume.
Fixes#249
- Parse user@realm from token name if provided in full format
- Better handle various token input formats
- Require user info for token auth (either in token name or user field)
- Fix realm defaulting logic for different auth types
- Add GetDataDir() function to respect PULSE_DATA_DIR environment variable
- Update all hardcoded /var/lib/pulse paths to use configurable data directory
- Fix circular import by moving GetDataDir to utils package
- Ensures Docker containers can properly persist configuration and alerts
- Remove all unencrypted configuration fallback logic
- Fix PBS user realm handling with automatic @pbs appending
- Enable test connection for existing nodes using stored credentials
- Delete legacy migration code and unified config system
- Fix redundant "No guests found" message when no PVE nodes configured
- Remove old example yml and migration binary
- Ensure all credentials stored only in encrypted .enc files
- Frontend was sending 'server' but backend expects 'smtpHost'
- Fixed field mapping in testEmailConfig function
- Changed config type to 'any' since backend expects different structure
- Removed provider and starttls fields not needed by backend
The UI test email button should now work correctly.
- Fix Gmail email configuration (field mapping between frontend/backend)
- Implement proper AES-256-GCM encryption for sensitive config files
- Add responsive column hiding for Storage tab on mobile devices
- Fix email configuration persistence and auto-populate recipients
- Add comprehensive testing tools for UI and API validation
- Fix alert acknowledge/clear functionality returning 404 errors
- Improve mobile UX: Storage shows only essential columns on small screens
- Revert dashboard to consistent table view (removed card layout experiment)
- Fix various UI issues: threshold detection, email template spacing
- Update notification system to use actual node data in test emails
- Backend update manager with GitHub Releases API integration
- Support for stable and RC update channels
- Safe update process with backups and rollback capability
- Docker environment detection
- Update API endpoints (check, apply, status)
- Frontend update UI in Settings with progress tracking
- WebSocket events for real-time update progress
- Auto-update configuration options
- Version display in app footer
- TypeScript types for update operations
- Replace all 'any' types with proper TypeScript types throughout the codebase
- Fix Record<string, any> to use specific types (AlertThresholds, unknown)
- Update logger methods to use 'unknown' instead of 'any' for parameters
- Fix type assertions to use proper types instead of 'as any'
- Update generic type defaults from 'any' to 'unknown'
- Fix WebSocket message types to use 'unknown' for optional data
- Move global Toast declaration to top level to fix TypeScript errors
- Comment out legacy PBS backup code that referenced non-existent fields
- Ensure all code follows TypeScript standards as documented in CLAUDE.md
All TypeScript compilation errors have been resolved and the codebase now
adheres to strict typing standards with no 'any' types remaining.
- Add new `/api/config/nodes/test-config` endpoint for testing unsaved node configurations
- Update NodesAPI to use appropriate endpoint based on whether node has an ID
- Existing nodes use `/api/config/nodes/{id}/test`, new nodes use `/api/config/nodes/test-config`
- Fix TypeScript types to include latency in test response details
This resolves the 400 error when testing connections for new nodes before they are saved.
- Fixed alert clearing logic to work even when alerts are acknowledged
- Added immediate WebSocket state broadcast after alert resolution
- Fixed frontend activeAlerts store updates to maintain SolidJS reactivity
- Added logging for alert resolution events
The alert system now properly:
- Creates alerts when thresholds are exceeded
- Clears alerts automatically when values drop below clear threshold
- Updates frontend in real-time without requiring page refresh
- Reduce backup polling interval from 60s to 20s
- Add immediate polling on first cycle for faster initial load
- Add loading spinner UI while waiting for backup data
- Update frontend port from 3001 to 7655 in vite config
- Add .vite directory to gitignore
- Update CLAUDE.md with service management commands
- Go backend with Proxmox/PBS integration
- Modern TypeScript/SolidJS frontend
- WebSocket real-time updates
- Clean project structure with no legacy code
