Security Features Added:
- Secure-by-default configuration export/import with ALLOW_UNPROTECTED_EXPORT environment variable
- Rate limiting (5 attempts/minute) to prevent brute force attacks on sensitive endpoints
- Comprehensive audit logging for all export/import attempts with IP tracking
- Frontend Security tab showing API protection status and configuration guidance
- Frontend now shows when export is blocked and disables buttons appropriately
- Strong passphrase requirement (minimum 12 characters) for exports
Technical Implementation:
- New RateLimiter component with automatic cleanup and middleware support
- Security status API endpoint showing protection state
- Enhanced error messaging with specific guidance for homelab vs production use
- Proper authentication flow with API token validation
- Updated documentation reflecting new security model
Breaking Changes:
- Export/import now requires API_TOKEN unless ALLOW_UNPROTECTED_EXPORT=true is set
- Minimum passphrase length increased from none to 12 characters
Additional Improvements:
- Fixed architecture-specific updates for better cross-platform support
- Removed RC label from UI header
- Updated security documentation with clear setup instructions
The ConfigHandlers were calling config.SaveConfig() which uses
globalPersistence initialized at startup with potentially wrong path.
Now handlers use their own persistence instance directly which is
initialized with the correct DataPath.
This was causing Docker configurations to still save to /etc/pulse
even though we thought we fixed it in v4.0.6.
Fixes#253 (for real this time)
- Fix Docker persistence bug where config was saved to /etc/pulse instead of /data
- Fix Windows VM memory reporting with balloon drivers
- Add GetVMStatus method to get detailed VM info including balloon memory
- Update diagnostics endpoint to use correct config paths
Fixes#253 (Docker persistence)
Fixes#258 (Windows VM memory reporting)
- Add /api/diagnostics endpoint for detailed troubleshooting info
- Shows connection status, auth methods, errors for each node
- Auto-fix PBS hosts missing https:// prefix instead of crashing
- Skip invalid PBS instances instead of failing to start
- Fixes issue #251 where invalid PBS config crashed the service
- Fix hardcoded fallback version (was 4.0.3, now 4.0.4)
- Look for VERSION file in multiple locations (/opt/pulse/VERSION)
- Fixes version display when installed via community script
- Fix utils.GetDataDir() to default to /etc/pulse instead of /var/lib/pulse
- Add explicit PULSE_DATA_DIR=/etc/pulse to systemd service
- This fixes issue #254 where alerts were trying to use wrong directory
- Ensures consistency: Docker uses /data, manual installs use /etc/pulse
- Added secure config export/import with passphrase-based encryption
- CLI commands: pulse config export/import with AES-256-GCM encryption
- Auto-import on Docker startup via PULSE_INIT_CONFIG_FILE/DATA env vars
- API endpoints /api/config/export and /api/config/import (require API_TOKEN)
- Configs remain encrypted throughout export/import process
- Perfect for GitOps, CI/CD, and infrastructure as code workflows
This allows users to configure Pulse once via UI, export the encrypted
config, and deploy it automatically to multiple instances without
manual reconfiguration.
Addresses #249 - Config management for automation enthusiasts
ConfigPersistence was initialized with empty string instead of cfg.DataPath,
causing webhooks to save to /etc/pulse instead of PULSE_DATA_DIR.
This affected Docker deployments where /data is the persistent volume.
Fixes#249
- Fixed VERSION file not being included in Docker image
- Fixed config persistence using wrong directory in Docker (/etc/pulse instead of /data)
- Config now correctly uses PULSE_DATA_DIR environment variable
- Parse user@realm from token name if provided in full format
- Better handle various token input formats
- Require user info for token auth (either in token name or user field)
- Fix realm defaulting logic for different auth types
- Add GetDataDir() function to respect PULSE_DATA_DIR environment variable
- Update all hardcoded /var/lib/pulse paths to use configurable data directory
- Fix circular import by moving GetDataDir to utils package
- Ensures Docker containers can properly persist configuration and alerts
- Support both UPDATE_CHANNEL and PULSE_UPDATE_CHANNEL env vars
- Add logging when update channel is overridden from environment
- Fixes RC channel detection in containerized deployments
- Detect Node.js based installations (any version before v4)
- Block auto-update with migration required message
- Add detailed migration instructions to install.sh
- Check for .env, node_modules, old services, etc.
- Direct users to create fresh installation for v4
- Remove private repo references from update validation
- Change GitHub API URL back to public repo (rcourtman/Pulse)
- This reverts the test changes made for private repo update testing
- Active alerts now persist to /var/lib/pulse/alerts/active-alerts.json
- Alerts are saved when created, resolved, and every minute
- On startup, alerts are restored with original timestamps
- Prevents duplicate email notifications after service restarts
- Skips restoration of alerts older than 24 hours
- Preserves acknowledgment state and escalation levels
- Remove all unencrypted configuration fallback logic
- Fix PBS user realm handling with automatic @pbs appending
- Enable test connection for existing nodes using stored credentials
- Delete legacy migration code and unified config system
- Fix redundant "No guests found" message when no PVE nodes configured
- Remove old example yml and migration binary
- Ensure all credentials stored only in encrypted .enc files
- Frontend was sending 'server' but backend expects 'smtpHost'
- Fixed field mapping in testEmailConfig function
- Changed config type to 'any' since backend expects different structure
- Removed provider and starttls fields not needed by backend
The UI test email button should now work correctly.
- Backend now uses From address as recipient when To array is empty
- Fixed sendEmail and sendGroupedEmail to not check for recipients
- Added detailed logging for SMTP operations
- Fixed recipient logging to show actual recipients sent
This allows users to send test emails to themselves without
having to enter their email address in the recipients field,
as promised by the UI.
- Fix Gmail email configuration (field mapping between frontend/backend)
- Implement proper AES-256-GCM encryption for sensitive config files
- Add responsive column hiding for Storage tab on mobile devices
- Fix email configuration persistence and auto-populate recipients
- Add comprehensive testing tools for UI and API validation
- Fix alert acknowledge/clear functionality returning 404 errors
- Improve mobile UX: Storage shows only essential columns on small screens
- Revert dashboard to consistent table view (removed card layout experiment)
- Fix various UI issues: threshold detection, email template spacing
- Update notification system to use actual node data in test emails
- Backend update manager with GitHub Releases API integration
- Support for stable and RC update channels
- Safe update process with backups and rollback capability
- Docker environment detection
- Update API endpoints (check, apply, status)
- Frontend update UI in Settings with progress tracking
- WebSocket events for real-time update progress
- Auto-update configuration options
- Version display in app footer
- TypeScript types for update operations
- Replace all 'any' types with proper TypeScript types throughout the codebase
- Fix Record<string, any> to use specific types (AlertThresholds, unknown)
- Update logger methods to use 'unknown' instead of 'any' for parameters
- Fix type assertions to use proper types instead of 'as any'
- Update generic type defaults from 'any' to 'unknown'
- Fix WebSocket message types to use 'unknown' for optional data
- Move global Toast declaration to top level to fix TypeScript errors
- Comment out legacy PBS backup code that referenced non-existent fields
- Ensure all code follows TypeScript standards as documented in CLAUDE.md
All TypeScript compilation errors have been resolved and the codebase now
adheres to strict typing standards with no 'any' types remaining.
- Add new `/api/config/nodes/test-config` endpoint for testing unsaved node configurations
- Update NodesAPI to use appropriate endpoint based on whether node has an ID
- Existing nodes use `/api/config/nodes/{id}/test`, new nodes use `/api/config/nodes/test-config`
- Fix TypeScript types to include latency in test response details
This resolves the 400 error when testing connections for new nodes before they are saved.
- Remove recently resolved alerts from frontend display
- Keep recently resolved tracking in backend for potential future use
- Update alert indicators to show only critical and warning states
- Remove fade animations and resolved alert styling
- Improve dashboard clarity by focusing only on current issues
The dashboard now provides a cleaner, more focused view showing only
alerts that require immediate attention.
- Fixed alert clearing logic to work even when alerts are acknowledged
- Added immediate WebSocket state broadcast after alert resolution
- Fixed frontend activeAlerts store updates to maintain SolidJS reactivity
- Added logging for alert resolution events
The alert system now properly:
- Creates alerts when thresholds are exceeded
- Clears alerts automatically when values drop below clear threshold
- Updates frontend in real-time without requiring page refresh
- Reduce backup polling interval from 60s to 20s
- Add immediate polling on first cycle for faster initial load
- Add loading spinner UI while waiting for backup data
- Update frontend port from 3001 to 7655 in vite config
- Add .vite directory to gitignore
- Update CLAUDE.md with service management commands
- Go backend with Proxmox/PBS integration
- Modern TypeScript/SolidJS frontend
- WebSocket real-time updates
- Clean project structure with no legacy code
