v0.9.1 — pre-1.0 hardening
Pre-release
Pre-release
Pre-1.0 hardening — fixes from a multi-agent security + correctness audit of the whole tree. All changes are backward-compatible; the SQLite relocation auto-migrates (with a backup).
Security
- No cleartext-secret leak path on the public repo:
.gitignorenow ignores.env.bak*/.env.tmp*, andtools/leak-scan.shgained a JWT-shaped backstop. - The MCP HTTP transport binds loopback only (
127.0.0.1) with a fail-closed assert. - Admin-panel log redaction now scrubs S3/R2/SMTP credentials (from the 0600
secrets/*.envfiles) and is applied to the/action+/confirmoutput. The SnappyMail admin password is hashed off-argv (via stdin). - Kavita + Audiobookshelf: the optional Matrix-SSO
forward_authblock moved inside the catch-allhandle {}so it can never be hoisted ahead of the OPDS / token-API exemption (caddy-validated). - Syncthing GUI and Vikunja API listeners gained fail-closed loopback asserts.
- Every ext4-vs-exFAT storage guard resolves the full real path (a symlinked leaf can no longer smuggle a SQLite DB onto the exFAT SD).
Changed
- SQLite databases for Linkding, Memos, Vikunja, and FreshRSS moved to ext4 (
$HOME/.pocket/<app>) — exFAT cannot do POSIX locks / atomic rename / durable fsync, which corrupts SQLite. An existing data dir on the SD is auto-migrated once (backed up first; the original is left in place to remove after verifying). Validated end-to-end on arm64 (WAL data intact). exobotpinsgradioinstead of--upgrade; the metrics sampler defaults OFF insetup.sh.
Fixed
- Admin panel: Dufs / FileBrowser / Syncthing now appear in the health + restart wiring, the Tailscale restart button resolves, and the restart-button row lists the v0.6–v0.9 apps.
See CHANGELOG.md for detail.