Security Features Added:
- Secure-by-default configuration export/import with ALLOW_UNPROTECTED_EXPORT environment variable
- Rate limiting (5 attempts/minute) to prevent brute force attacks on sensitive endpoints
- Comprehensive audit logging for all export/import attempts with IP tracking
- Frontend Security tab showing API protection status and configuration guidance
- Frontend now shows when export is blocked and disables buttons appropriately
- Strong passphrase requirement (minimum 12 characters) for exports
Technical Implementation:
- New RateLimiter component with automatic cleanup and middleware support
- Security status API endpoint showing protection state
- Enhanced error messaging with specific guidance for homelab vs production use
- Proper authentication flow with API token validation
- Updated documentation reflecting new security model
Breaking Changes:
- Export/import now requires API_TOKEN unless ALLOW_UNPROTECTED_EXPORT=true is set
- Minimum passphrase length increased from none to 12 characters
Additional Improvements:
- Fixed architecture-specific updates for better cross-platform support
- Removed RC label from UI header
- Updated security documentation with clear setup instructions
The ConfigHandlers were calling config.SaveConfig() which uses
globalPersistence initialized at startup with potentially wrong path.
Now handlers use their own persistence instance directly which is
initialized with the correct DataPath.
This was causing Docker configurations to still save to /etc/pulse
even though we thought we fixed it in v4.0.6.
Fixes#253 (for real this time)
- Fix Docker persistence bug where config was saved to /etc/pulse instead of /data
- Fix Windows VM memory reporting with balloon drivers
- Add GetVMStatus method to get detailed VM info including balloon memory
- Update diagnostics endpoint to use correct config paths
Fixes#253 (Docker persistence)
Fixes#258 (Windows VM memory reporting)
- Add 'Run Diagnostics' button in Settings → Diagnostics tab
- Shows connection status for all nodes and PBS instances
- Displays auth method, errors, and system info
- Users can now easily troubleshoot connection issues
- Add /api/diagnostics endpoint for detailed troubleshooting info
- Shows connection status, auth methods, errors for each node
- Auto-fix PBS hosts missing https:// prefix instead of crashing
- Skip invalid PBS instances instead of failing to start
- Fixes issue #251 where invalid PBS config crashed the service
- Fix hardcoded fallback version (was 4.0.3, now 4.0.4)
- Look for VERSION file in multiple locations (/opt/pulse/VERSION)
- Fixes version display when installed via community script
- Remove --password parameter that may cause issues on PVE 9
- Add explicit error handling for container creation
- Separate container creation and start steps
- Add proper wait loop for container startup
- Better error messages if IP detection fails
- Standardized release notes format for all releases
- Removed emoji from headers (keep it professional)
- Only mention specific Docker version tag (not all variants)
- Clear sections for Features, Fixes, Improvements, Breaking Changes
- Consistent installation instructions format
- Remove RELEASE_CHECKLIST.md from gitignore so it's tracked
- Fix utils.GetDataDir() to default to /etc/pulse instead of /var/lib/pulse
- Add explicit PULSE_DATA_DIR=/etc/pulse to systemd service
- This fixes issue #254 where alerts were trying to use wrong directory
- Ensures consistency: Docker uses /data, manual installs use /etc/pulse
- Single directory for all data (config + runtime)
- Docker uses /data (via PULSE_DATA_DIR env var)
- Manual installs use /etc/pulse (default)
- Removed unnecessary /var/lib/pulse directory creation
- Updated docs to clarify data storage locations
This eliminates confusion about multiple directories and follows
the principle of keeping things simple.
- Added secure config export/import with passphrase-based encryption
- CLI commands: pulse config export/import with AES-256-GCM encryption
- Auto-import on Docker startup via PULSE_INIT_CONFIG_FILE/DATA env vars
- API endpoints /api/config/export and /api/config/import (require API_TOKEN)
- Configs remain encrypted throughout export/import process
- Perfect for GitOps, CI/CD, and infrastructure as code workflows
This allows users to configure Pulse once via UI, export the encrypted
config, and deploy it automatically to multiple instances without
manual reconfiguration.
Addresses #249 - Config management for automation enthusiasts
ConfigPersistence was initialized with empty string instead of cfg.DataPath,
causing webhooks to save to /etc/pulse instead of PULSE_DATA_DIR.
This affected Docker deployments where /data is the persistent volume.
Fixes#249
- Fixed VERSION file not being included in Docker image
- Fixed config persistence using wrong directory in Docker (/etc/pulse instead of /data)
- Config now correctly uses PULSE_DATA_DIR environment variable
- Explain security reasons for not allowing credential export
- Add best practices for configuration management
- Clarify that this is intentional, not a missing feature
- Fix port mapping from 7655:3000 to 7655:7655
- Fix healthcheck to use correct port 7655
- Remove pulse_config volume as it's not needed in v4
- All configuration is stored in /data directory
- Parse user@realm from token name if provided in full format
- Better handle various token input formats
- Require user info for token auth (either in token name or user field)
- Fix realm defaulting logic for different auth types
- Remove temporary action items, issue responses, and Docker Hub description
- Move PROXMOX_HELPER_ISSUE.md to docs/ folder
- Add TODO comment to temporary-helper.sh for future removal
- Keep only essential files in root directory
- Note that PR for Proxmox helper script has been submitted
- Create response templates for all open issues
- Update README to reflect fix is in progress
- Add GetDataDir() function to respect PULSE_DATA_DIR environment variable
- Update all hardcoded /var/lib/pulse paths to use configurable data directory
- Fix circular import by moving GetDataDir to utils package
- Ensures Docker containers can properly persist configuration and alerts
- API endpoints are an implementation detail not needed by most users
- Keeps README focused on installation and usage
- Developers can find API info in the code or create separate API docs if needed
- Updated screenshot script with improved dark mode detection and forcing
- Regenerated all 8 documentation screenshots in dark mode
- Screenshots now properly show the dark theme interface
- Fixed theme switching logic to ensure consistent dark mode capture
- Fixes moderate security vulnerability in esbuild (GHSA-67mh-4wv8-2f99)
- Updates vite from 5.4.19 to 6.3.5 which includes esbuild 0.25.0
- esbuild vulnerability allowed any website to send requests to dev server
- Frontend build tested and working correctly with new version
