Skip to content

v1.4.0.0: Security, audit log, and UI overhaul

Choose a tag to compare

View all tags
@boubli boubli released this 20 Jun 14:42
· 34 commits to main since this release
v1.4.0.0
87c2437

Big one. This release is mostly about making AMUD safer to run in production, easier to trust, and nicer to look at every day.

If you're coming from v1.3.7.x, run update-amud.sh as usual — your existing amud.db is upgraded in place. No wipe needed.

What's new

Audit log

Admin actions now get recorded in SQLite: logins, settings changes, backup exports, user management, and more. There's a new Audit tab in Settings so you can actually see what happened and from which IP.

Upgraded installs on Proxmox get the audit_log table automatically — no manual SQL.

Security hardening

  • Webhook URLs are masked in the API and outbound targets are filtered (no localhost/metadata SSRF).
  • Health checks block loopback/metadata while still allowing normal homelab RFC1918 targets.
  • New .env.example documents AMUD_TRUST_PROXY, AMUD_SECURE_COOKIES, and AMUD_SECRETS_KEY.
  • Branding fields in the dashboard are HTML-escaped before they hit the template.
  • Settings tables and modals build rows with DOM APIs instead of innerHTML string soup.

Database

SQLite now runs with WAL mode and foreign keys enforced. Better concurrency, fewer weird edge cases on busy instances.

Dashboard & UI

  • Proxmox-inspired status chips and badge styling across the main grid.
  • Settings drawer got a proper audit view and safer client-side rendering (admin.js helpers).
  • Accessibility pass: button types, label associations, contrast fixes on badges and login errors.
  • Service worker and login page use globalThis for broader browser compatibility.

CI / quality

  • SonarCloud quality gate is green: Security, Reliability, Maintainability all A, hotspots reviewed.
  • All GitHub Actions pinned to commit SHAs.
  • cargo audit in CI, Dependabot config removed (manual dep review instead).

Install scripts

  • setup-amud.sh / setup-hydrivax.sh / update-amud.sh — cleaner bash ([[ tests), shared awk constant, agent service path constant.

Docker

  • FROM scratch image unchanged in spirit — static musl binary, minimal attack surface. Documented why it runs as root (no users in scratch).

Upgrade

./update-amud.sh

Or pull the new container image if you run Docker.

Verify the version in Settings → System shows v1.4.0.0.

Checksums

See SHA256SUMS in the release assets. Always verify before deploying to production.

Full diff since v1.3.7.3: v1.3.7.3...v1.4.0.0

Assets 9
Loading