- Replace Go interface{} with any (Go 1.18+ standard)
- Add database indexes to frequently queried model fields
- Add JSDoc documentation to frontend API client methods
- Remove deprecated docker-compose version keys
- Add concurrency groups to all 25 GitHub Actions workflows
- Add YAML front matter and fix H1→H2 headings in docs
Coverage: Backend 85.5%, Frontend 87.73%
Security: No vulnerabilities detected
Refs: docs/plans/instruction_compliance_spec.md
Remove handler-level `trusted_proxies` configuration from ReverseProxyHandler that was
using an invalid object structure. Caddy's reverse_proxy handler expects trusted_proxies
to be an array of CIDR strings, not an object with {source, ranges}.
The server-level trusted_proxies configuration in config.go already provides equivalent
IP spoofing protection globally for all routes, making the handler-level setting redundant.
Changes:
- backend: Remove lines 184-189 from internal/caddy/types.go
- backend: Update 3 unit tests to remove handler-level trusted_proxies assertions
- docs: Document fix in CHANGELOG.md
Fixes: #[issue-number] (500 error when saving proxy hosts)
Tests: All 84 backend tests pass (84.6% coverage)
Security: Trivy + govulncheck clean, no vulnerabilities
Add handlers for enable_standard_headers, forward_auth_enabled, and waf_disabled fields
in the proxy host Update function. These fields were defined in the model but were not
being processed during updates, causing:
- 500 errors when saving proxy host configurations
- Auth pass-through failures for apps like Seerr/Overseerr due to missing X-Forwarded-* headers
Changes:
- backend: Add field handlers for 3 missing fields in proxy_host_handler.go
- backend: Add 5 comprehensive unit tests for field handling
- frontend: Update TypeScript ProxyHost interface with missing fields
- docs: Document fixes in CHANGELOG.md
Tests: All 1147 tests pass (backend 85.6%, frontend 87.7% coverage)
Security: No vulnerabilities (Trivy + govulncheck clean)
Fixes#16 (auth pass-through)
Fixes#17 (500 error on save)
Add X-Real-IP, X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers to all proxy hosts for proper client IP detection, HTTPS enforcement, and logging.
- New feature flag: enable_standard_headers (default: true for new hosts, false for existing)
- UI: Checkbox in proxy host form and bulk apply modal for easy migration
- Security: Always configure trusted_proxies when headers enabled
- Backward compatible: Existing hosts preserve legacy behavior until explicitly enabled
BREAKING CHANGE: New proxy hosts will have standard headers enabled by default. Existing hosts maintain legacy behavior. Users can opt-in via UI.
Backend: 98.7% coverage, 8 new tests
Frontend: 87.7% coverage, full TypeScript support
Docs: Comprehensive migration guide and troubleshooting
Closes #<issue-number> (FileFlows WebSocket fix)
- Add new API-Friendly preset (70/100) optimized for mobile apps and API clients
- CORP set to "cross-origin" to allow mobile app access
- CSP disabled as APIs don't need content security policy
- Add tooltips to preset cards explaining use cases and compatibility
- Add warning banner in ProxyHostForm when Strict/Paranoid selected
- Warn users about mobile app compatibility issues
Presets now: Basic (65) < API-Friendly (70) < Strict (85) < Paranoid (100)
Recommended for: Radarr, Sonarr, Plex, Jellyfin, Home Assistant, Vaultwarden
- Add diagnostic logging to track security_header_profile_id conversions
- Replace silent failures with explicit HTTP 400 error responses
- Fix ProxyHostService.Update to properly handle nullable foreign keys
- Fix frontend dropdown to use explicit null checks (no falsy coercion)
- Add 7 comprehensive tests for profile assignment edge cases
Root cause: Backend handler had no else clause for type conversion failures,
causing old values to persist. Fixed by adding logging, error handling, and
changing service layer from Updates() to Select("*") for nullable FKs.
Refs: #<issue_number_if_applicable>
Implement complete workflow for assigning security header profiles
to proxy hosts via dropdown selector in ProxyHostForm.
Backend Changes:
- Add security_header_profile_id handling to proxy host update endpoint
- Add SecurityHeaderProfile preloading in service layer
- Add 5 comprehensive tests for profile CRUD operations
Frontend Changes:
- Add Security Headers section to ProxyHostForm with dropdown
- Group profiles: System Profiles (presets) vs Custom Profiles
- Remove confusing "Apply" button from SecurityHeaders page
- Rename section to "System Profiles (Read-Only)" for clarity
- Show security score inline when profile selected
UX Improvements:
- Clear workflow: Select profile → Assign to host → Caddy applies
- No more confusion about what "Apply" does
- Discoverable security header assignment
- Visual distinction between presets and custom profiles
Tests: Backend 85.6%, Frontend 87.21% coverage
Docs: Updated workflows in docs/features.md
GitHub's github.ref_name returns "421/merge" for PR merge refs,
creating invalid Docker tags like "pr-421/merge". Docker tags
cannot contain forward slashes.
Changed to use github.event.pull_request.number which returns
just the PR number (e.g., "421") for valid tags like "pr-421".
Also added comprehensive unit tests for backup_service.go to
meet the 85% coverage threshold.
Fixes CI/CD failure in PR #421.
- Add PRAGMA quick_check on startup with warning log if corrupted
- Add corruption sentinel helpers for structured error detection
- Add backup retention (keep last 7, auto-cleanup after daily backup)
- Add GET /api/v1/health/db endpoint for orchestrator health checks
Prevents silent data loss and enables proactive corruption detection.
- Add scripts/db-recovery.sh for database integrity check and recovery
- Enable WAL mode verification with logging on startup
- Add structured error logging to uptime handlers with monitor context
- Add comprehensive database maintenance documentation
Fixes heartbeat history showing "No History Available" due to database
corruption affecting 6 out of 14 monitors.
- Add logging when enrollment is silently skipped due to existing state
- Add DELETE /admin/crowdsec/console/enrollment endpoint to clear state
- Add re-enrollment UI section with guidance and crowdsec.net link
- Add useClearConsoleEnrollment hook for state clearing
Fixes silent idempotency bug where backend returned 200 OK without
actually executing cscli when status was already enrolled.
- Add --tags tenant:X when tenant/organization is provided
- Add --overwrite flag when force (rotate key) is requested
- Add extractUserFriendlyError() to parse cscli errors for user display
- Add comprehensive tests for command construction
Fixes enrollment not reaching CrowdSec.net when using the console enrollment form.
- Backend: Start/Stop handlers now sync both settings and security_configs tables
- Frontend: CrowdSec toggle uses actual process status (crowdsecStatus.running)
- Frontend: Fixed LiveLogViewer WebSocket race condition by using isPausedRef
- Frontend: Removed deprecated mode toggle from CrowdSecConfig page
- Frontend: Added info banner directing users to Security Dashboard
- Frontend: Added "Start CrowdSec" button to enrollment warning panel
Fixes dual-source state conflict causing toggle to show incorrect state.
Fixes live log "disconnected" status appearing while logs stream.
Simplifies CrowdSec control to single source (Security Dashboard toggle).
Includes comprehensive test updates for new architecture.
- Added QA summary report for CrowdSec toggle fix validation, detailing test results, code quality audit, and recommendations for deployment.
- Updated existing QA report to reflect the new toggle fix validation status and testing cycle.
- Enhanced security documentation to explain the persistence of CrowdSec across container restarts and troubleshooting steps for common issues.
- Expanded troubleshooting guide to address scenarios where CrowdSec does not start after a container restart, including diagnosis and solutions.
- Added TestMigrateCommand_Succeeds to validate migration functionality.
- Introduced TestStartupVerification_MissingTables to ensure proper handling of missing security tables.
- Updated crowdsec_startup.go to log warnings for missing SecurityConfig table.
- Enhanced documentation for database migrations during upgrades, including steps and expected outputs.
- Created a detailed migration QA report outlining testing results and recommendations.
- Added troubleshooting guidance for CrowdSec not starting after upgrades due to missing tables.
- Established a new plan for addressing CrowdSec reconciliation failures, including root cause analysis and proposed fixes.
- Make Stop() idempotent: return nil instead of error when PID file missing
- Add startup reconciliation: auto-start CrowdSec if DB says enabled
- Ensure log file exists for LogWatcher to prevent disconnection
Fixes:
- "Failed to stop CrowdSec: 500 error" when toggling off
- CrowdSec showing "not running" despite being enabled in settings
- Live logs showing disconnected after container restart
The Status() handler was only checking if the CrowdSec process was
running, not if LAPI was actually responding. This caused the
CrowdSecConfig page to always show "LAPI is initializing" even when
LAPI was fully operational.
Changes:
- Backend: Add lapi_ready field to /admin/crowdsec/status response
- Frontend: Add CrowdSecStatus TypeScript interface
- Frontend: Update conditional logic to check lapi_ready not running
- Frontend: Separate warnings for "initializing" vs "not running"
- Tests: Add unit tests for Status handler LAPI check
Fixes regression from crowdsec_lapi_error_diagnostic.md fixes.
- Update import paths to github.com/oschwald/geoip2-golang/v2
- Handle API breaking changes (net.IP → netip.Addr, IsoCode → ISOCode)
- Fix VERSION.md to match git tag (0.7.13)
- Resolves CI failure in benchmark workflow
Caddy 2.10.2 requires Go 1.25 (declared in its go.mod). The previous
commit incorrectly downgraded to Go 1.23 based on the false assumption
that Go 1.25.5 doesn't exist.
This fix:
- Updates Dockerfile Go images from 1.23-alpine to 1.25-alpine
- Updates backend/go.mod to go 1.25
- Updates go.work to go 1.25
Fixes CI Docker build failures in xcaddy stage.
