Releases
v1.1.0
v1.1.0 — Security hardening, code quality & infrastructure
Compare
Sorry, something went wrong.
No results found
gerfru
released this
10 Jun 17:57
What's new since v1.0.0
Security & Observability
Token TTL values corrected in password-reset and email-verification mail copy
Sentry DSN now reaches sync-service and ml-service (was api-only)
Backup Docker image pinned by digest + included in Trivy CI scan
Deletion-token no longer logged (was appearing in structured-log output)
GDPR consent audit log (V27 migration): immutable user_consent_events table for Art. 5(2) accountability
Seizure endpoints now enforce epilepsy_mode flag at the route layer
Docker & CI Infrastructure
All three Dockerfiles install from uv.lock (reproducible builds, no resolver drift)
init: true on sync-service + ml-service (PID 1 / zombie reaping)
no-new-privileges:true security option on all app containers
Compose healthchecks upgraded: APScheduler sentinel + /ready probe for sync + ml
DB pool utilisation exposed in /api/metrics (db_pool_used, db_pool_max)
Renovate dockerfile manager: digest-only updates automerge
SBOM generation switched from curl | sh to SHA-pinned anchore/sbom-action
Python Code Quality
asyncio.get_event_loop() → get_running_loop() (deprecated call removed)
IP-hash double-call deduplicated; bcrypt cost factor explicit (rounds=12)
HRV validation helper extracted; deferred import moved to module scope
libre_password explicitly deleted from memory after use (analogous to garmin.py)
JS Code Quality
activity.js now imports shared utilities instead of redefining them
buildHealthCharts split into per-chart-type helpers
dashboard-hero.js split into dashboard-ml-feedback.js + dashboard-evidence.js
scoreColor consolidated to a single threshold across all call sites
Evidence-badge constants (EV_LEVEL_SHORT, EV_LEVEL_CLS) centralised in dashboard-utils.js
econRow() output escaped with esc() (XSS hardening)
Tests
New PATCH-validation test for seizure endpoint (422 path)
Activity IDOR cross-user E2E test added
Existing IDOR E2E tests guarded with CI_HAS_DATA skip-marker
Misleading test names corrected; weak assertion in sync-service test fixed
Infrastructure & Docs
Deploy and test Compose files moved to deploy/ (cleaner root directory)
.gitignore extended: .mypy_cache/, .pytest_cache/, .ruff_cache/
All documentation synced with current codebase: deploy paths, migration range V1–V27, V26+V27 entries added
CLAUDE.md env-table corrected (SYNC_INTERVAL_HOURS, migration range, CI job count)
Dashboard UI (from earlier PRs in this cycle)
Dashboard ↔ Metrics navigation: clickable charts, curated "Deine Metriken" bar, related-metrics block
Sticky top-bar, segmented time-range selector, sync status pill
Time-range labels (1W · 2W · 1M · 3M · 1J) fixed; onboarding dismiss CSP-safe
You can’t perform that action at this time.