- Add pending restart detection when .env exists but not loaded
- Update frontend to show pending state instead of re-showing setup
- Fix QuickSecuritySetup to refresh security status after configuration
- Remove auto-restart attempts from security setup
- Show deployment-appropriate restart instructions
- Update documentation to reflect new update mechanism
Related to security setup issues after removing sudo/auto-restart capabilities
- Add critical docker-compose bcrypt escaping documentation
- Create comprehensive TROUBLESHOOTING.md guide
- Create dedicated DOCKER.md deployment guide
- Update CONFIGURATION.md with service name variations
- Document that .env file is not created when using env vars
- Add warnings about dollar sign escaping in docker-compose.yml
These docs address the main confusion points from recent issues,
especially the docker-compose bcrypt hash problem affecting many users.
- ProxmoxVE script can now check if auth is already set without credentials
- Quick-setup endpoint is now public but handler checks if setup should be skipped
- Prevents duplicate auth configuration attempts
- Critical for automated setup scripts
- explains purpose of each file type
- clarifies that .env is only for auth, not a regression
- documents the technical reasoning behind the architecture
- addresses confusion raised in #314
- clarified .env file usage for Docker (it's acceptable for Docker volumes)
- emphasized need for quotes around bcrypt hashes to prevent shell expansion
- removed incorrect SHA3-256 'cost factor' reference (only bcrypt has cost factor)
- added notes about proper quoting in Docker examples
Updated security documentation to explicitly mention that Docker uses
the Quick Security Setup wizard and persists credentials via /data/.env
file in the volume, making it clear how auth works in Docker deployments.
Docker now supports .env files in /data for auth credentials created
by the security wizard. This was added to fix the credential persistence
issue in Docker containers.
- Add clear documentation that auth settings are intentionally excluded from exports
- Update API docs to explicitly state what is/isn't included in exports
- Enhance migration guide with security notes about auth exclusion
- Add UI warning in export dialog about auth settings not transferring
- Each Pulse instance should configure its own authentication for security
Related to user feedback about auth settings not transferring between instances
- Homelab users on private networks (192.168.x.x, 10.x.x.x, 172.16.x.x) can now export/import without any configuration
- No need to set ALLOW_UNPROTECTED_EXPORT=true for typical homelab setups
- Public network access still requires authentication for security
- Simplifies backup/restore for users who don't need authentication
- Clarify that session auth (password login) is sufficient for export/import
- Document that guest metadata and custom console URLs are included
- Update FAQ with clearer backup instructions
- Add UI-first approach to README backup section
- Clarify that passwords are ALWAYS bcrypt hashed (never plain text)
- Document SHA3-256 hashing for API tokens
- Add Quick Security Setup as recommended method
- Update examples to show hashed format required
- Add security best practices section
- Add verification script reference
- Update troubleshooting for new auth variables
Documentation Updates:
- Fix CORS documentation to reflect new secure defaults (no CORS by default)
- Add API token management endpoints to API.md
- Document CORS configuration in SECURITY.md
- Update environment variable documentation with defaults
- Add authentication variables (PULSE_PASSWORD, API_TOKEN, etc.)
- Add troubleshooting for CORS and authentication issues
- Remove outdated references to ALLOWED_ORIGINS=*
- Clarify that CORS defaults to same-origin only
All documentation now accurately reflects:
- Security improvements from recent audit
- New API token management features
- Correct CORS behavior and configuration
- Complete environment variable reference
- Detect public vs private network access
- Show stronger warnings for public access without auth
- Red banner when accessed from internet without authentication
- Support for trusted networks configuration via PULSE_TRUSTED_NETWORKS
- Automatic RFC1918 private IP detection
- Enhanced security status API with network context
- Added debug logging for encryption key loading
- Created MIGRATION.md with clear backup/migration procedures
- Emphasizes export/import as the only supported migration method
- Warns against direct file copying
- Includes security notes about passphrase protection
- Added troubleshooting and pro tips
- Updated README and SECURITY docs to reference migration guide
- Add custom JSON payload template support for generic webhooks
- Users can now define custom webhook formats with Go template syntax
- Fix Telegram webhook issue where chat_id in URL caused 400 errors
- Automatically strip chat_id from URL and place in JSON body for Telegram
- Add comprehensive webhook documentation with examples
- Update API documentation with webhook endpoints
Addresses #305
- Add registration tokens documentation to SECURITY.md
- Add email configuration guide to README.md
- Create comprehensive API.md with all endpoints documented
- Include examples for bash, PowerShell, and Python API usage
- Document WebSocket connection for real-time updates
- Add rate limiting information and error response formats
- Added detailed reverse proxy guide for nginx, Caddy, Apache, Traefik, HAProxy, and Cloudflare Tunnel
- Emphasized WebSocket requirement for v4
- Added testing instructions and troubleshooting tips
- Updated README and CONFIGURATION docs to reference the new guide
- Addresses user feedback from issue #244 about WebSocket requirement
- Document Docker persistence in /data volume
- Add PBS HTTPS requirement to FAQ troubleshooting
- Clarify data directory usage for encryption keys
- Update file location documentation for Docker vs standard installs
- Updated README to show env vars instead of .env editing
- Updated FAQ with correct port change instructions
- Updated .env.example header to clarify it's for deployment overrides
- Made it clear UI is primary configuration method
- Environment variables are for deployment-time overrides only
- Remove .env syncing - UI no longer writes to .env file
- system.json is the single source for UI-managed settings
- .env files are read-only for deployment overrides
- Environment variables still override everything (Docker/systemd)
- Cleaner separation: env vars for deployment, JSON for runtime
- Updated documentation to clarify configuration hierarchy
- Simpler code with less failure points
- Fix release channel not saving when changed in UI
- Add system settings persistence for update-related config
- Expand .env file support to include all non-sensitive settings:
- UPDATE_CHANNEL, AUTO_UPDATE_ENABLED, AUTO_UPDATE_CHECK_INTERVAL, AUTO_UPDATE_TIME
- POLLING_INTERVAL, CONNECTION_TIMEOUT, ALLOWED_ORIGINS, LOG_LEVEL
- Update documentation with all available .env settings
- Settings now properly persist across restarts
- Environment variables override saved settings at startup
- Fix Export/Import API token authentication (wasn't sending X-API-Token header)
- Add client-side passphrase validation (12+ chars with visual feedback)
- Fix settings persistence for AllowedOrigins field
- Fix hardcoded port display in diagnostics (now shows actual port)
- Add .env file support for non-sensitive configuration (ports, logging, etc)
- Keep sensitive data (API tokens, passwords) using secure methods (systemd env vars)
- Update documentation with configuration guide and latest features
- Document auto-discovery, cluster detection, and export/import features
- README reduced from 256 to 188 lines
- FAQ reduced from 133 to 66 lines
- PBS-AGENT simplified to essentials only
- Removed marketing language, obvious advice, redundant sections
- Focused on practical information users actually need
Security Features Added:
- Secure-by-default configuration export/import with ALLOW_UNPROTECTED_EXPORT environment variable
- Rate limiting (5 attempts/minute) to prevent brute force attacks on sensitive endpoints
- Comprehensive audit logging for all export/import attempts with IP tracking
- Frontend Security tab showing API protection status and configuration guidance
- Frontend now shows when export is blocked and disables buttons appropriately
- Strong passphrase requirement (minimum 12 characters) for exports
Technical Implementation:
- New RateLimiter component with automatic cleanup and middleware support
- Security status API endpoint showing protection state
- Enhanced error messaging with specific guidance for homelab vs production use
- Proper authentication flow with API token validation
- Updated documentation reflecting new security model
Breaking Changes:
- Export/import now requires API_TOKEN unless ALLOW_UNPROTECTED_EXPORT=true is set
- Minimum passphrase length increased from none to 12 characters
Additional Improvements:
- Fixed architecture-specific updates for better cross-platform support
- Removed RC label from UI header
- Updated security documentation with clear setup instructions
- Explain security reasons for not allowing credential export
- Add best practices for configuration management
- Clarify that this is intentional, not a missing feature
- Parse user@realm from token name if provided in full format
- Better handle various token input formats
- Require user info for token auth (either in token name or user field)
- Fix realm defaulting logic for different auth types
- Remove temporary action items, issue responses, and Docker Hub description
- Move PROXMOX_HELPER_ISSUE.md to docs/ folder
- Add TODO comment to temporary-helper.sh for future removal
- Keep only essential files in root directory
- Updated screenshot script with improved dark mode detection and forcing
- Regenerated all 8 documentation screenshots in dark mode
- Screenshots now properly show the dark theme interface
- Fixed theme switching logic to ensure consistent dark mode capture
- Completely rewrite README.md configuration section
- Remove all references to manual pulse.yml editing
- Emphasize UI-only configuration like Radarr/Sonarr
- Simplify Docker examples
- Rewrite SECURITY.md from scratch
- Explain automatic encryption system
- Document how AES-256-GCM encryption works
- Add security architecture diagram
- Remove outdated manual config references
- Move CONFIGURATION.md to dev-docs (outdated)
- Documentation now correctly reflects that:
- All configuration is done through the web UI
- Credentials are automatically encrypted
- No manual file editing is needed or supported
- Complete rewrite of README.md in the style of original Pulse
- Add comprehensive user-facing documentation:
- FAQ.md with common questions and troubleshooting
- PBS-AGENT.md for push mode monitoring
- SCREENSHOTS.md placeholder for visual guide
- Update SECURITY.md intro to match new style
- Move internal dev docs to separate dev-docs folder
- Documentation now properly reflects Go/SolidJS architecture
- Replace real Gmail app password with placeholder in all test files
- Fix remaining production node name references in documentation
- Ensure no sensitive credentials remain in codebase
IMPORTANT: The exposed Gmail app password should be revoked immediately
- Replace personal email with generic test@example.com
- Replace production node names (delly, pimox) with generic examples
- Replace specific security tokens with placeholder values
- Update IP addresses to use localhost or generic examples
- Sanitize all testing files and documentation
