Skip to content

v0.9.1 — pre-1.0 hardening

Pre-release
Pre-release

Choose a tag to compare

@Partha-dev01 Partha-dev01 released this 23 Jun 18:01

Pre-1.0 hardening — fixes from a multi-agent security + correctness audit of the whole tree. All changes are backward-compatible; the SQLite relocation auto-migrates (with a backup).

Security

  • No cleartext-secret leak path on the public repo: .gitignore now ignores .env.bak* / .env.tmp*, and tools/leak-scan.sh gained a JWT-shaped backstop.
  • The MCP HTTP transport binds loopback only (127.0.0.1) with a fail-closed assert.
  • Admin-panel log redaction now scrubs S3/R2/SMTP credentials (from the 0600 secrets/*.env files) and is applied to the /action + /confirm output. The SnappyMail admin password is hashed off-argv (via stdin).
  • Kavita + Audiobookshelf: the optional Matrix-SSO forward_auth block moved inside the catch-all handle {} so it can never be hoisted ahead of the OPDS / token-API exemption (caddy-validated).
  • Syncthing GUI and Vikunja API listeners gained fail-closed loopback asserts.
  • Every ext4-vs-exFAT storage guard resolves the full real path (a symlinked leaf can no longer smuggle a SQLite DB onto the exFAT SD).

Changed

  • SQLite databases for Linkding, Memos, Vikunja, and FreshRSS moved to ext4 ($HOME/.pocket/<app>) — exFAT cannot do POSIX locks / atomic rename / durable fsync, which corrupts SQLite. An existing data dir on the SD is auto-migrated once (backed up first; the original is left in place to remove after verifying). Validated end-to-end on arm64 (WAL data intact).
  • exobot pins gradio instead of --upgrade; the metrics sampler defaults OFF in setup.sh.

Fixed

  • Admin panel: Dufs / FileBrowser / Syncthing now appear in the health + restart wiring, the Tailscale restart button resolves, and the restart-button row lists the v0.6–v0.9 apps.

See CHANGELOG.md for detail.