Skip to content

v1.1.0 — Security hardening, code quality & infrastructure

Choose a tag to compare

@gerfru gerfru released this 10 Jun 17:57
ce8f963

What's new since v1.0.0

Security & Observability

  • Token TTL values corrected in password-reset and email-verification mail copy
  • Sentry DSN now reaches sync-service and ml-service (was api-only)
  • Backup Docker image pinned by digest + included in Trivy CI scan
  • Deletion-token no longer logged (was appearing in structured-log output)
  • GDPR consent audit log (V27 migration): immutable user_consent_events table for Art. 5(2) accountability
  • Seizure endpoints now enforce epilepsy_mode flag at the route layer

Docker & CI Infrastructure

  • All three Dockerfiles install from uv.lock (reproducible builds, no resolver drift)
  • init: true on sync-service + ml-service (PID 1 / zombie reaping)
  • no-new-privileges:true security option on all app containers
  • Compose healthchecks upgraded: APScheduler sentinel + /ready probe for sync + ml
  • DB pool utilisation exposed in /api/metrics (db_pool_used, db_pool_max)
  • Renovate dockerfile manager: digest-only updates automerge
  • SBOM generation switched from curl | sh to SHA-pinned anchore/sbom-action

Python Code Quality

  • asyncio.get_event_loop()get_running_loop() (deprecated call removed)
  • IP-hash double-call deduplicated; bcrypt cost factor explicit (rounds=12)
  • HRV validation helper extracted; deferred import moved to module scope
  • libre_password explicitly deleted from memory after use (analogous to garmin.py)

JS Code Quality

  • activity.js now imports shared utilities instead of redefining them
  • buildHealthCharts split into per-chart-type helpers
  • dashboard-hero.js split into dashboard-ml-feedback.js + dashboard-evidence.js
  • scoreColor consolidated to a single threshold across all call sites
  • Evidence-badge constants (EV_LEVEL_SHORT, EV_LEVEL_CLS) centralised in dashboard-utils.js
  • econRow() output escaped with esc() (XSS hardening)

Tests

  • New PATCH-validation test for seizure endpoint (422 path)
  • Activity IDOR cross-user E2E test added
  • Existing IDOR E2E tests guarded with CI_HAS_DATA skip-marker
  • Misleading test names corrected; weak assertion in sync-service test fixed

Infrastructure & Docs

  • Deploy and test Compose files moved to deploy/ (cleaner root directory)
  • .gitignore extended: .mypy_cache/, .pytest_cache/, .ruff_cache/
  • All documentation synced with current codebase: deploy paths, migration range V1–V27, V26+V27 entries added
  • CLAUDE.md env-table corrected (SYNC_INTERVAL_HOURS, migration range, CI job count)

Dashboard UI (from earlier PRs in this cycle)

  • Dashboard ↔ Metrics navigation: clickable charts, curated "Deine Metriken" bar, related-metrics block
  • Sticky top-bar, segmented time-range selector, sync status pill
  • Time-range labels (1W · 2W · 1M · 3M · 1J) fixed; onboarding dismiss CSP-safe