Skip to content

Releases: TRC-Loop/Pelton

v1.0.7

Choose a tag to compare

@github-actions github-actions released this 11 Jul 22:04

Changes

fix: interface smaller than window on Linux - @TRC-Loop in #53

On Fedora (WebKitGTK), the interface rendered smaller than the window at every window size and every display scale, leaving dead space along the right and bottom edges and squeezing the pane layout. Not a renderer/backend issue (disproven on-device via WEBKIT_DISABLE_DMABUF_RENDERER, GDK_BACKEND=x11 and WEBKIT_DISABLE_COMPOSITING_MODE tests): the layout viewport itself disagreed with the widget size.

Two layout-level causes addressed:

  • Removed the mobile-style <meta name="viewport"> tag from index.html. WKWebView and WebView2 ignore it, but WebKitGTK can honor it and derive a layout viewport that does not match the actual widget.
  • The shell and #app are now sized with a percentage chain (html -> body -> #app -> .shell) instead of 100vw/100vh. Viewport units misresolve on WebKitGTK, and unlike percentages they are not compensated for the root css zoom used by the interface-scale setting, so this also replaces the old calc(100vh / var(--ui-scale)) workaround.

Also adds a small diagnostic: clicking the version in Settings > About toggles a readout of the engine's viewport numbers (inner/client/outer size, dpr, zoom), so future platform rendering issues can be diagnosed from a screenshot of a release build.

svelte-check: 0 errors. Verified on-device on Fedora 44 before merge.

Full Changelog: v1.0.6...v1.0.7

v1.0.6

Choose a tag to compare

@github-actions github-actions released this 11 Jul 20:38

Changes

fix: interface not resizing to fill window on linux maximize - @TRC-Loop in #51

Reported on Fedora: maximizing the Pelton window leaves blank space along the right and bottom edges, as if the interface rendered at the pre-maximize size and never grew to fill the new window bounds. Reproduced regardless of the interface scale setting (100% or otherwise), so it's not specific to the custom css zoom value - it's the underlying layout not recomputing at all against the new window size.

This matches a documented WebKitGTK quirk: a window-manager-driven resize (maximize), as opposed to a user manually dragging an edge, doesn't reliably make the webview recompute layout against the new viewport size.

Fix: reapply the current interface scale (which resets the root's css zoom, forcing a relayout) whenever a resize is detected, via both a window resize listener and a ResizeObserver on the document root (redundant on purpose, since it's unclear which signal reliably fires for a WM-driven maximize on WebKitGTK - either one firing is enough). Debounced via requestAnimationFrame. No-op-looking but effective; harmless on macOS/Windows where resize already reflows correctly on its own.

fix: linux menu-rebuild-on-language-change crashes the app - @TRC-Loop in #50

Reported on Fedora 44: after going through onboarding (which picks a language, even just confirming the default), every subsequent native menu click - including "Add Mailbox" - crashed the whole app:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0xf4a320]
github.com/wailsapp/wails/v2/internal/frontend/desktop/linux.handleMenuItemClick(...)
    .../wails/v2@v2.13.0/internal/frontend/desktop/linux/gtk.go:53

Root cause: App.RebuildMenu() (added for menu localization, #45) calls wails runtime.MenuSetApplicationMenu whenever the language setting changes, to update the native menu without a restart. On Linux, wails' GTK menu implementation doesn't cleanly replace the previous native menu's click-handler wiring (gtkSignalToMenuItem) when swapping in a new tree - once that's poisoned, every subsequent menu click nil-derefs inside wails' own code, not just the one that triggered the rebuild. Since a language change (even confirming the default during onboarding) happens near the very start of a session, this effectively broke the entire native menu for the rest of the session on Linux.

Fix: skip the live rebuild on Linux specifically (goruntime.GOOS == "linux"). buildMenu() already reads the persisted language fresh on every call, so the menu still comes up correctly translated on the next launch - it just doesn't live-update mid-session on Linux, which is a far better tradeoff than crashing. macOS and Windows are unaffected and keep the live update.

Full Changelog: v1.0.5...v1.0.6

v1.0.5

Choose a tag to compare

@github-actions github-actions released this 11 Jul 20:09

Changes

chore: drop macos intel build from release workflow - @TRC-Loop in #37

Removes the Intel entry from the macOS release matrix; releases now ship Apple Silicon only. Updates the README download instructions to match.

chore: flatten release changelog into one list - @TRC-Loop in #43

Collapses the Features / Bug Fixes / Other Changes sections in the auto-generated release notes into a single flat list. GitHub doesn't support alphabetical sorting within a category, so entries stay in merge order, but since PR titles already carry their conventional-commit type prefix (feat:, fix:, ...), same-type PRs merged together still tend to cluster.

feat: add mailbox button in the Mailboxes settings tab - @TRC-Loop in #41

Settings > Mailboxes only let you edit or remove existing mailboxes; there was no way to add one from there (the empty state literally pointed at "the Mailbox menu" instead). Adds an "Add mailbox…" button that opens the existing add-mailbox wizard (lazy-loaded like the other settings modals) right from the tab, and refreshes the list and sidebar once a mailbox is added.

feat: add privacy mode choice to onboarding - @TRC-Loop in #46

Adds a new onboarding step, right after the feature highlights, where the user picks between two existing settings combined into one decision:

  • Fully Private (Recommended): generated avatars only (no Gravatar/BIMI lookups), remote images in mail always blocked until loaded per message.
  • Normal: sender photos from Gravatar/verified domain logos, remote images load automatically without asking.

Each card states plainly what it turns on/off. Selecting applies immediately (setAvatarSource + setAlwaysLoadImages, both already existing settings-store functions used by the Settings panel), matching the rest of onboarding's "every pick applies live" behavior. The current selection is derived from those two settings rather than stored separately, so re-running onboarding shows the actual active mode, not a guess.

i18n across en/de/fr/nl/es.

feat: add website and docs links to About settings - @TRC-Loop in #42

Adds Website (pelton.app) and Docs (docs.pelton.app) buttons next to the existing GitHub/Report an issue/Contributors links in Settings > About, opening in the system browser like every other link there.

feat: export as a modal with mailbox and signature categories - @TRC-Loop in #38

Replaces the inline export checkboxes/button in Settings > Import/Export with a modal (styled after the image-allowlist modal), reached from a single Export button. Also expands what can be exported.

  • New ExportModal.svelte, lazy-loaded like the allowlist modal.
  • Two new export/import categories: Mailboxes (account server config only, no passwords/tokens, those stay in the OS keyring) and Signatures.
  • Import gets matching checkboxes for the new categories, shown only when the picked file actually contains them; importing mailboxes skips any email already present locally to avoid duplicates, same dedupe for signatures by name+kind.
  • i18n across en/de/fr/nl/es, including a hint that imported mailboxes need their password re-entered since credentials never leave the keyring.
feat: localize the native application menubar - @TRC-Loop in #45

The native menu bar (built in Go, before the webview or any frontend i18n exists) stayed hardcoded in English regardless of the app's language setting.

  • New internal/desktop/menu_i18n.go: a Go-side translation table for every menu label, covering en/de/fr/nl/es (falls back to English for anything else).
  • buildMenu now reads the current language setting and looks up strings from there instead of hardcoding them.
  • New App.RebuildMenu() swaps in a freshly-built menu via wails runtime.MenuSetApplicationMenu; SetSetting calls it whenever the language key changes, so switching language (in onboarding or Settings) updates the menu immediately instead of only on next launch.
  • The Mail menu's enabled/disabled state (whether a message is open) is now tracked on the App struct (mailActionsEnabled) so a menu rebuild restores it instead of resetting every item back to disabled.

Not translated: macOS's built-in menu.EditMenu() (Cut/Copy/Paste/Select All/Undo/Redo) ships with fixed English labels from wails itself with no override hook.

feat: optional encrypted password export for mailboxes - @TRC-Loop in #47

Extends the Mailboxes export/import category (from the export modal PR) with an opt-in way to carry credentials along too, instead of always requiring a re-login after importing.

Export

  • New checkbox under Mailboxes: "Also include passwords (encrypted)", which reveals a password + confirm field (min 8 chars, must match).
  • Each account's stored credential (loaded from the OS keyring the same way sync already does) is JSON-encoded and sealed with AES-256-GCM, keyed by a value derived from that password via scrypt (N=2^15) with a fresh random salt per account. Nothing is ever written in plain text; accounts with no stored credential are exported without one, not blocked.
  • This password is never Pelton's own anything - it only exists to protect this one file, and there's no recovery if it's forgotten (same tradeoff as any password-encrypted export/zip).

Import

  • The inspect step now reports whether the picked file carries any encrypted credentials at all (hasEncryptedCredentials), so the checkbox only appears when there's something to restore.
  • A wrong password fails loudly (AES-GCM's auth tag check) rather than silently skipping credentials or importing garbage.
  • Both the export and import password fields are entirely optional; leaving them out preserves today's behavior exactly (mailboxes import needs sign-in again).

i18n across en/de/fr/nl/es. golang.org/x/crypto (already an indirect dependency via go-keyring/wails) is now direct for scrypt.

feat: show a persistent developer mode indicator in the status bar - @TRC-Loop in #44

When PELTON_DEV is set (the make run / wails dev loop), the app already points at a separate "Pelton-dev" data directory so a dev run never touches a real install's accounts or mail - but there was no visual sign of it in the running app, easy to forget mid-session.

Adds App.IsDevMode() on the backend (reads the same env var storage.DefaultPath already checks) and a small "DEVELOPER MODE" badge at the left of the status bar, always visible whenever it's on, i18n'd across en/de/fr/nl/es.

fix: copr srpm build failing on fedora 43/44 - @TRC-Loop in #49

The v1.0.5 Copr build (https://copr.fedorainfracloud.org/coprs/build/10709296) failed on both fedora-43-x86_64 and fedora-44-x86_64, which is why dnf install pelton found an empty repo after enabling the Copr project - nothing had actually built.

Root cause, from the Copr build log:

warning: line 21: Possible unexpanded macro in: Version:        %{_pelton_version}
error: bad date in %changelog: Thu Jan 01 1970 Pelton release automation <me@arne.sh> - 0-1
error: Bad file: /builddir/build/SOURCES/pelton-%{_pelton_version}.tar.gz: No such file or directory

Two separate bugs, both in how the spec interacts with a newer rpm (6.x, shipped in Fedora 43+):

  1. Unexpanded %{_pelton_version}. The release workflow passed the version via rpmbuild --define "_pelton_version $VERSION", but that only affects that one local invocation - it's never stored inside the resulting SRPM. Copr re-runs rpmbuild -bs from the spec bundled in the SRPM as its own first build step, with no knowledge of that external define, so Version:/Source0: came out completely unresolved there. Fixed by baking %global _pelton_version <version> into the spec text itself before building, so it's self-contained.
  2. %changelog's placeholder date rejected. Fedora 43+'s rpm derives SOURCE_DATE_EPOCH from the top %changelog entry by default; our static placeholder entry's fake Thu Jan 01 1970 date got rejected outright as a "bad date" by the newer parser. Disabled that derivation in the spec (_source_date_epoch_from_changelog 0, both m...
Read more

v1.0.4

Choose a tag to compare

@github-actions github-actions released this 11 Jul 16:45
b19c0b0

Other Changes

fix: require a passing connection test before adding a mailbox - @TRC-Loop in #14

Summary

  • canSubmitPassword only checked that email/password/imapHost were non-empty, so the wizard's "Add" button was enabled without ever running "Test connection".
  • createAccount (backend) deliberately keeps the account even when the post-creation folder-discovery connection fails (so a temporarily-unreachable-but-real server isn't rejected outright) - which meant a completely invalid host sailed straight through with no validation at all.
  • "Add" is now gated on testOk === true; editing any tested field (email, password, host, port) invalidates a prior test result so a stale "ok" can't wave through a since-edited value. Added a small hint explaining why Add is disabled until tested.

Test plan

  • pnpm run check: clean
  • Manual verification in the running app pending

Summary

  • Enforced a successful connection test before enabling mailbox creation in AddMailboxWizard.svelte.
  • Reset the prior test result whenever email, password, IMAP host, or port changes, preventing stale validation from being reused.
  • Added a user-facing hint explaining that the connection must be tested before adding the mailbox.
  • Added the new hint string to the English, German, Spanish, French, and Dutch locale files.

AI usage

Probably — the PR contains signs of AI-assisted work, but not enough to say it was fully agentic or 100%.

build(deps): Bump golang.org/x/crypto from 0.51.0 to 0.52.0 - @dependabot[bot] in #19

Bumps golang.org/x/crypto from 0.51.0 to 0.52.0.

Commits
  • a1c0d99 go.mod: update golang.org/x dependencies
  • 3c7c869 ssh: fix deadlock on unexpected channel responses
  • 533fb3f ssh: fix source-address critical option bypass
  • abbc44d ssh: fix incorrect operator order
  • e052873 ssh: fix infinite loop on large channel writes due to integer overflow
  • b61cf85 ssh: enforce user presence verification for security keys
  • 9c2cd33 ssh: enforce strict limits on DSA key parameters
  • 8907318 ssh: reject RSA keys with excessively large moduli
  • ffd87b4 ssh: fix panic when authority callbacks are nil
  • 4e7a738 ssh: fix deadlock on unexpected global responses
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Updated go.mod to bump the indirect dependency golang.org/x/crypto from v0.51.0 to v0.52.0.

AI usage: Not Likely

build(deps): Bump the go-dependencies group with 2 updates - @dependabot[bot] in #20

Bumps the go-dependencies group with 2 updates: github.com/wailsapp/wails/v2 and golang.org/x/text.

Updates github.com/wailsapp/wails/v2 from 2.12.0 to 2.13.0

Release notes

Sourced from github.com/wailsapp/wails/v2's releases.

Wails v2.13.0

Installation

go install github.com/wailsapp/wails/v2/cmd/wails@v2.13.0

Changes

Added

Added

Fixed

  • Fixed wake (experimental WAILS_USE_WAKE=true build runner) running precondition sh: strings without template expansion, causing a spurious "garble is required for obfuscated builds" error on every build by @​leaanthony
  • Fixed nil pointer crash in application.Quit when called before Run or after Run returned early #5452 by @​c-tonneslan
Commits
  • 474b677 release: v2.13.0
  • 77fbbfa ci(npm): rebase-and-retry the version-bump push so publishes stop failing (#5...
  • 97f5f46 fix(v3/windows): guard FillRect against nil client rect in WM_ERASEBKGND (#5687)
  • 78254ef fix(v3): return error to frontend as dedicated Error objects instead of strin...
  • fd231e9 [skip ci] Publish @​wailsio/runtime v3.0.0-alpha.96
  • 198c9ce ci: verify the bundled runtime is built from source, not supplied by PRs (#5759)
  • 3c1ca71 fix(v3/windows): web server (server tag) build fails on Windows (#5680) (#5...
  • 0ea5f3a chore: update sponsors.svg and contributors...
Read more

v1.0.3

Choose a tag to compare

@github-actions github-actions released this 07 Jul 18:17

Other Changes

build(deps): Bump the frontend-dependencies group in /frontend with 2 updates - @dependabot[bot] in #7

Bumps the frontend-dependencies group in /frontend with 2 updates: marked and vite.

Updates marked from 15.0.12 to 18.0.5

Release notes

Sourced from marked's releases.

v18.0.5

18.0.5 (2026-06-04)

Bug Fixes

  • parse empty list item with trailing space (#3984) (b55410f)

v18.0.4

18.0.4 (2026-05-19)

Bug Fixes

v18.0.3

18.0.3 (2026-05-01)

Bug Fixes

  • avoid task checkbox for setext heading text (#3960) (2608e81)

v18.0.2

18.0.2 (2026-04-18)

Bug Fixes

  • fix infinite loop for indented code blank line (#3947) (58a52e8)

v18.0.1

18.0.1 (2026-04-17)

Bug Fixes

  • rules: ensure lookbehind regex is evaluated correctly by minifiers (#3945) (abd907a)

v18.0.0

18.0.0 (2026-04-07)

Bug Fixes

  • Bump typescript from 5.9.3 to 6.0.2 (#3934) (e8efc51)
  • prevent GFM table tokens from greedily capturing trailing newlines (#3926) (40f2665)
  • prevent heading and def tokens from greedily capturing multiple newlines (#3925) (b379e3e)

... (truncated)

Commits
  • 4063c63 chore(release): 18.0.5 [skip ci]
  • b55410f fix: parse empty list item with trailing space (#3984)
  • c6e667b chore(deps-dev): bump eslint from 10.4.0 to 10.4.1 (#3986)
  • 95f98ec chore(deps-dev): bump @​arethetypeswrong/cli from 0.18.2 to 0.18.3 (#3985)
  • c1a86f0 Add Node.js usage example to README (#3983)
  • 763f729 chore(deps-dev): bump marked-man from 2.1.0 to 2.1.1 (#3978)
  • 2cf1fd0 chore(deps-dev): bump markdown-it from 14.1.1 to 14.2.0 (#3977)
  • 0a2cd54 chore(release): 18.0.4 [skip ci]
  • 11adb69 fix: fix cli not reading stdin (#3967)
  • a37983f fix: cache list indentation regexes (#3969)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for marked since your current version.


Updates vite from 8.1.2 to 8.1.3

Release notes

Sourced from vite's releases.

v8.1.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.1.3 (2026-07-02)

Bug Fixes

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manu...

Read more

v1.0.2

Choose a tag to compare

@github-actions github-actions released this 04 Jul 11:39
38ef7f1

Other Changes

Bump github.com/cloudflare/circl from 1.6.2 to 1.6.3 - @dependabot[bot] in #3

Bumps github.com/cloudflare/circl from 1.6.2 to 1.6.3.

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

Commits
  • 24ae53c Release CIRCL v1.6.3
  • 581020b Rename method to oddMultiplesProjective.
  • 12209a4 Removing unused cmov for jacobian points.
  • fcba359 ecc/p384: use of complete projective formulas for scalar multiplication.
  • 5e1bae8 ecc/p384: handle point doubling in point addition with Jacobian coordinates.
  • 3416046 Check opts for nil value.
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Updated the Go module dependency github.com/cloudflare/circl from v1.6.2 to v1.6.3 in go.mod.

AI usage: Not Likely

1.0.2 bug sweep - @TRC-Loop in #8

Summary

  • windows: native menu bar/title bar now follows the app's theme setting instead of always rendering light
  • windows installer: stops a running Pelton process before install/uninstall, asks for confirmation before uninstalling, requires real admin rights for an all-users install, installs to Program Files\Pelton (was Program Files (x86)<company>\Pelton), and bundles LICENSE/README/licenses
  • config sync: added an "import existing setup" flow (pick a folder, review what's found, confirm) alongside the existing setup wizard, and hardened file reads against transient failures reading cloud-sync placeholder files (e.g. Nextcloud virtual files)
  • fixed a couple of message-list race conditions (fast folder switching, concurrent scroll-triggered page loads), attachment filenames not sanitized for Windows, multi-byte UTF-8 truncation in message snippets, an OAuth callback goroutine leak, and OAuth secrets exceeding the Windows Credential Manager per-entry size limit

Test plan

  • go build ./..., go vet ./..., go test ./internal/...
  • pnpm run check, pnpm run build
  • manual: Windows install/upgrade/uninstall flow, theme switching, config sync import flow, OAuth login with a large token set

Summary

  • Updated Windows installer behavior: uses Program Files\Pelton for all-users installs, requires admin rights for that mode, confirms uninstall, stops running app processes before install/uninstall, and bundles license/readme files.
  • Added a new config sync “import existing setup” flow, with matching locale strings and modal behavior for browsing/importing an existing folder.
  • Hardened config sync file reads against transient cloud-sync placeholder failures by retrying reads/opens with backoff.
  • Fixed message list race conditions during rapid folder/page changes by ignoring stale async loads.
  • Improved Windows attachment filename sanitization, UTF-8 snippet truncation, OAuth callback handling, and credential storage for oversized secrets.
  • Applied native Windows theme updates so the app follows the selected/system theme more consistently.

AI usage

  • Very Likely that AI was used, and likely in an agentic/helping role rather than fully human-only.
docs: add AGENTS.md agent instructions - @TRC-Loop in #9

Summary

  • Adds AGENTS.md (thin entry point) plus an AGENTS/ folder with per-area guides (privacy, design tokens, backend, frontend, git workflow, no-slop); CLAUDE.md/CODEX.md/AIDER.md point to it.
  • Adds release changelog automation: .github/release.yml (categories + exclude labels), PR auto-labeling by conventional-commit type, and a draft-release workflow that builds a categorized, collapsible changelog on tag push.

Test plan

  • Open a PR with a feat:/fix:/docs: title and confirm the label gets applied
  • Push a test tag and confirm a draft release is created with the expected categorized body

Full Changelog: v1.0.1...v1.0.2

1.0.1

Choose a tag to compare

@TRC-Loop TRC-Loop released this 02 Jul 20:16
bf0d1a0

What's Changed

New Contributors

Full Changelog: v1.0.0...v1.0.1

Initial Release

Choose a tag to compare

@TRC-Loop TRC-Loop released this 02 Jul 18:07

What's Changed

  • Bump github.com/wailsapp/wails/v2 from 2.10.1 to 2.12.0 in the go-dependencies group by @dependabot[bot] in #1
  • Bump the frontend-dependencies group in /frontend with 5 updates by @dependabot[bot] in #2

New Contributors

Full Changelog: https://github.com/TRC-Loop/Pelton/commits/v1.0.0