v0.16.2
Security hardening and async correctness
This release focuses on closing security gaps and removing blocking I/O from the event loop. No new user-facing features.
Security
- HTTPS enforced on signaling URL — default URL upgraded; insecure
http:///ws://schemes received via push notifications are auto-upgraded tohttps:///wss://. - Config flow URL validation — API and auth URLs now require HTTPS scheme.
send_audiopath validation — audio file paths validated againsthass.config.media_dirsto prevent arbitrary file reads.- Explicit
shell=Falsefor ffmpeg recording calls.
Reliability
- Transient setup failures raise
ConfigEntryNotReady(HA retries) instead of crashing. - Notification dedup uses ordered
deque(maxlen=100)instead of unorderedset. - TTS temp files cleaned up after use.
- Recording cleanup runs as a background task and no longer blocks startup.
- Hardcoded
/media/paths replaced byhass.config.media_dirs.
Async correctness
gTTS.save, glob fallback,mkdir, andmedia_sourcepath resolution moved to executors.pymediasouppatch deferred until first stream start instead of running at module import.dispatcher_send→async_dispatcher_sendacross the coordinator.- Replaced deprecated
asyncio.get_event_loop()withget_running_loop()captured outside the threadsafe callback.
Cleanup
- Camera icon centralized in
icons.json(mdi:doorbell-video); redundant_attr_iconremoved from sensor descriptors.
Full changelog: https://github.com/bvis/fermax-blue-hass/blob/main/CHANGELOG.md