2.0.6 — security + hardening

Security + hardening release (Floxum re-audit fixes).

• Security (HIGH): event URLs are now scheme-allowlisted (http/https) — javascript:/data: URLs can no longer be stored and rendered as an <a href> (stored-XSS fix), with a matching guard in the event detail modal.
• Security: RSVP is restricted to published events (or the author's own draft) — a guessed draft ID can't have its RSVP counts polluted.
• Performance: indexed users.cal_birthday (was a full table scan on the celebrations widget); the iCal feed eager-loads category + user to avoid N+1 during serialisation.
• Conventions: resolve() moved out of the schema getter into the fields builder.
• Refactor: CalendarPage split into focused MonthGrid / TimeGrid / EventListView components (no functional change; verified across month/week/list views).

2.0.5

Security

• Draft events are no longer publicly readable. Single-event endpoint now 404s for unpublished events unless you're an event manager or the author. (#2)

Fixes

• Event & category slug creation no longer 500s under a concurrent same-title race — it retries with a fresh suffix. (#3)

Performance

• Cap expanded recurring occurrences and lower the listing row limit so a dense calendar can't spike memory/CPU. (#4)

Housekeeping

• Remove an unused constant (#5); resolve the FoF Upload check lazily per-request instead of at parse time (#6); log instead of silently swallowing that detection failure (#7).

2.0.4

What's Changed

• fix(security): don't serve unpublished events from the single-event iCal endpoint
• fix: address remaining Floxum code-review findings

Full Changelog: 2.0.3...2.0.4

2.0.3

What's Changed

• Page Builder: contribute calendar blocks to the editor palette

Full Changelog: 2.0.2...2.0.3

2.0.2

What's Changed

• Fix create-event (no form wrapper), redesign event modal, use default loader

Full Changelog: 2.0.1...2.0.2

2.0.1

What's Changed

• Phase A: engagement engine — activity heatmap, streaks & forum pulse
• Phase B: live countdowns — [countdown=…] in posts + event countdowns
• Phase C + D: On This Day memories + member celebrations (birthdays/anniversaries)
• docs: README — document the engagement engine (heatmap, pulse, countdowns, memories, celebrations)
• Fix calendar admin: missing widget-toggle labels + CategoryManager spinner loop
• Fix CategoryManager render crash: key the 'add' row (mixed keyed/unkeyed fragment)

Full Changelog: 2.0.0...2.0.1

2.0.0

Add Week and Day time-grid views; fix admin extensionData crash

- New Week and Day views: true time grids (24h, scrollable) with hour gridlines,
  a live "now" indicator, all-day strip, side-by-side layout for overlapping
  events, and double-click-to-create pre-filled at the clicked slot. View switcher
  is now Month / Week / Day / List; navigation steps by the active unit.
- CalendarPage refactored onto a single `cursor` date driving every view.
- dates.ts: startOfDay/addDays/startOfWeek/weekDays/dayTitle/weekRangeLabel/
  hourLabel + layoutDay() (overlap-column packing).
- EventFormModal honours a pre-filled `day` for the default start time.
- Admin fix: register the category manager via Extend.Admin().customSetting()
  (the Flarum 2 declarative API) instead of app.extensionData.for() — the latter
  is undefined at initializer time and threw
  "undefined is not an object (evaluating 'extensionData.for')".

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>